InfoWorld
7 application security startups at RSAC 2024
The innovation hub of RSAC 2024, the RSAC Early Stage Expo was specifically designed to showcase emerging players in the information security industry. Among the 50 exhibitors crammed into the second floor booth space, seven VC-backed up-and-comers in application security and devsecops caught our eye.
AppSentinelsAppSentinels touts itself as a comprehensive API security platform, covering the entire application life cycle. The product conducts thorough analyses of the application’s activities and examines its workflows in detail. Once the AppSentinals product understands the workflows, it can test the workflows against a variety of potential flaws, and use this information to also protect against complex business logic attacks in production environments.
GitHub takes aim at software supply chain security
GitHub has introduced Artifact Attestations, a software signing and verification feature based on Sigstore that protects the integrity of software builds in GitHub Actions workflows. Artifiact Attestations is now available in a public beta.
Announced May 2, Artifact Attestations allows project maintainers to create a “tamper-proof, unforgeable paper trail” that links software artifacts to the process that created them. “Downstream consumers of this metadata can use it as a foundation for new security and validity checks through policy evaluations via tools like Rego and Cue,” GitHub wrote in the announcement.
Does cloud security have a bad reputation?
The recent discourse around the security of cloud computing in the banking sector, highlighted by Nicholas Fearn’s piece in the Financial Times, paints a somewhat grim picture of the cybersecurity landscape when it comes to banks moving to cloud computing. Not to pick on just this article, but I’ve seen this as a trend in the past few years, as the value of cloud computing has been called into question more and more. This is a change from just a few years ago when it was verboten to criticize “the cloud.”
What happened between then and now? Enterprises saw the weaknesses of cloud computing platforms, such as costing too much and being difficult to leave. This made it okay to point out the issues with public cloud providers, and I’ve certainly done my share, even when it was not trendy to do so.
Understanding Microsoft’s Trusted Signing service
How do we ensure that the code we’re installing is, at the very least, the code that a vendor shipped? The generally accepted solution is code signing, adding a digital signature to binaries that can be used to ensure authorship. At the same time, the signature includes a hash that can be used to show that the code you’ve received hasn’t been altered after it’s been signed.
Code signing is increasingly important as part of ensuring software bills of materials and reducing the risks associated with malware hijacking legitimate binaries. Signing is necessary if you’re planning on using services like the Microsoft Store or the Windows Package Manager to distribute your applications, allowing the repository to verify software sources.