security
By Victor R. Garza The innovation hub of RSAC 2024, the RSAC Early Stage Expo was specifically designed to showcase emerging players in the information security industry. Among the 50 exhibitors crammed into the second floor booth space, seven VC-backed up-and-comers in application security and devsecops caught our eye. AppSentinelsAppSentinels touts itself as a comprehensive API security platform, covering the entire application life cycle. The product conducts thorough analyses of the application’s activities and examines its workflows in detail. Once the AppSentinals product understands the...
Info World
By Simon Bisson How do we ensure that the code we’re installing is, at the very least, the code that a vendor shipped? The generally accepted solution is code signing, adding a digital signature to binaries that can be used to ensure authorship. At the same time, the signature includes a hash that can be used to show that the code you’ve received hasn’t been altered after it’s been signed. Code signing is increasingly important as part of ensuring software bills of materials and reducing the risks associated with malware hijacking legitimate binaries. Signing is necessary if you’re planning on...
Info World
By Paul Krill The Rust language team has published a point release of Rust to fix a critical vulnerability to the standard library that could benefit an attacker when using Windows. Rust 1.77.2, published on April 9, includes a fix for CVE-2024-24576. Before this release, Rust’s standard library did not properly escape arguments when invoking batch files with the bat and cmd extensions on Windows using the Command API. An attacker who controlled arguments passed to a spawned process could execute arbitrary shell commands by bypassing the escape. This vulnerability becomes critical if batch fil...
Info World
By Serdar Yegulalp Over the past decade, Rust has emerged as a language of choice for people who want to write fast, machine-native software that also has strong guarantees for memory safety. Other languages, like C, may run fast and close to the metal, but they lack the language features to ensure program memory is allocated and disposed of properly. As noted recently by the White House Office of the National Cyber Director, these shortcomings enable software insecurities and exploits with costly real-world consequences. Languages like Rust, which put memory safety first, are getting more att...
Info World
By Paul Krill Java Development Kit (JDK) 22, released by Oracle March 19 as the latest version of standard Java, offers a number of security enhancements, covering areas ranging from an asymmetric key interface to a new security option for -XshowSettings that allows developers to easily display security-related settings. In a March 20 blog post on Oracle’s inside.java web page, Sean Mullan, technical lead of the Java Security libraries team and lead of the OpenJDK Security Group, detailed the security enhancements in JDK 22. The java -Xshowsettings option, which can be used to print system set...
Info World
By Dan Lorenc Frank Crane wasn’t talking about open source when he famously said, “You may be deceived if you trust too much, but you will live in torment if you don’t trust enough.” But that’s a great way to summarize today’s gap between how open source is actually being consumed, versus the zero trust patterns that enterprises are trying to codify into their DevSecOps practices. Every study I see suggests that between 90% and 98% of the world’s software is open source. We’re all taking code written by other people—standing on the shoulders of giants—and building and modifying all that code, ...
Info World
By Paul Krill JetBrains has released fixes for two critical security vulnerabilities in its TeamCity On-Premises CI/CD system discovered by cybersecurity company Rapid7. The two vulnerabilities reported in late-February by Rapid7 would enable an authenticated attacker with HTTP(S) access to a TeamCity On-Premises server to bypass authentication checks and gain administrative control. These vulnerabilities affected all TeamCity On-Premises versions through 2023.11.3, but have been fixed in TeamCity On-Premises 2023.11.4. For users unable to update their server to version 2023.11.4, JetBrains al...
Info World
By Paul Krill President Joseph Biden has issued an executive order intended to protect Americans’ sensitive personal data from exploitation from countries of concern including China, Russa, Iran, and North Korea. Issued February 28, the order authorizes the attorney general to prevent the large-scale transfer of Americans’ personal data to countries of concern and offers safeguards around other activities that can give these countries access to this sensitive data. “Countries of concern can rely on advanced technologies, including artificial intelligence, to analyze and manipulate bulk sensiti...
Info World
閲覧を続けるには、ノアドット株式会社が「プライバシーポリシー」に定める「アクセスデータ」を取得することを含む「nor.利用規約」に同意する必要があります。
「これは何?」という方はこちら