InfoWorld

GitHub adds code scanning for security bugs

InfoWorld - Wed, 09/30/2020 - 5:38pm

GitHub has made its code scanning service generally available. Based on the CodeQL semantic code analysis technology acquired from Semmle, GitHub code scanning now can be enabled in users’ public repositories to discover security vulnerabilities in their code bases. The service also supports analysis using third-party tools. 

GitHub code scanning is intended to run only actionable security rules by default, to help developers remain focused on the task at hand and not become overwhelmed with linting suggestions. The service integrates with the GitHub Actions CI/CD platform or a user’s other CI/CD environment. Code is scanned as it is created while actionable security reviews are surfaced within pull requests and other GitHub experiences. This process is intended to ensure that vulnerabilities never make it into production.

To read this article in full, please click here

Categories: InfoWorld

GitHub adds CodeQL scanning for security bugs

InfoWorld - Wed, 09/30/2020 - 5:38pm

GitHub has made its CodeQL code scanning service generally available. Based on semantic code analysis technology acquired from Semmle, CodeQL now can be enabled in users’ public repositories to discover security vulnerabilities in their code bases.

CodeQL is intended to run only actionable security rules by default, to help developers remain focused on the task at hand and not become overwhelmed with linting suggestions. CodeQL integrates with the GitHub Actions CI/CD platform or a user’s other CI/CD environment. Code is scanned as it is created while actionable security reviews are surfaced within pull requests and other GitHub experiences. This process is intended to ensure that vulnerabilities never make it into production.

To read this article in full, please click here

Categories: InfoWorld

2 egregious cloud security threats the CSA missed

InfoWorld - Tue, 09/29/2020 - 6:00am

My interesting weekend reading was this Cloud Security Alliance (CSA) report, which was vendor sponsored, highlighting 11 cloud security threats that should be on top of everyone’s mind. These threats are described as “egregious.”

CSA surveyed 241 experts on security issues in the cloud industry and came up with these top 11 threats:

  1. Data breaches
  2. Misconfiguration and inadequate change control
  3. Lack of cloud security architecture and strategy
  4. Insufficient identity, credential, access, and key management
  5. Account hijacking
  6. Insider threat
  7. Insecure interfaces and APIs
  8. Weak control plane
  9. Metastructure and applistructure failures
  10. Limited cloud usage visibility
  11. Abuse and nefarious use of cloud services

This is a pretty good report, by the way. It’s free to download, and if you’re interested in the evolution of cloud computing security, it’s a good read.  

To read this article in full, please click here

Categories: InfoWorld

Microsoft open-sources fuzzing test framework

InfoWorld - Thu, 09/17/2020 - 6:35pm

Microsoft is looking to help developers continuously fuzz-test code prior to release, via the open source OneFuzz framework.

Described as a self-hosted fuzzing-as-a-service platform, OneFuzz enables developer-driven fuzzing to identify software vulnerabilites during the development process. Source code for OneFuzz is due to arrive on GitHub on September 18.

[ Also on InfoWorld: How to improve CI/CD with shift-left testing ]

Fuzz testing is about increasing the security and reliability of native code by finding costly, exploitable security flaws. Fuzz testing involves throwing random inputs at software to find instances in which unforeseen actions could cause software to fail.

To read this article in full, please click here

Categories: InfoWorld

Using OPA to safeguard Kubernetes

InfoWorld - Wed, 09/09/2020 - 6:00am

As more and more organizations move containerized applications into production, Kubernetes has become the de facto approach for managing those applications in private, public and hybrid cloud settings. In fact, at least 84% of organizations already use containers in production, and 78% leverage Kubernetes to deploy them, according to the Cloud Native Computing Foundation.

To read this article in full, please click here

Categories: InfoWorld