Archive for the ‘security’ Category
Don’t huff the fumes
TL;DR Agentic systems are the latest thing being used to solve IT integration issues, becoming the glue squirted into the gaps between systems. But the use of natural language means that the distinction between ‘data’ and ‘code’ is almost impossible to make, which causes a whole raft of security concerns. This new glue may be […]
Filed under: security | Leave a Comment
Tags: agentic, agents, AI, CHERI, glue, integration, middleware, security
Dealing with Policy Debt
TL;DR Start writing down why decisions are made. Future you may thank you. Future other person who’s wondering what you were thinking may also thank you. Then keep a dependency graph of the things impacted by the decision. It will help unravel what gets woven around it. Background I was at an excellent AFCEA event […]
Filed under: security, strategy, technology | 1 Comment
Tags: ADRs, AFCEA, Agile, architecture, change, compliance, culture, debt, decisions, innovation, policy
Security researchers at the CISPA Helmholtz Center for Information Security have discovered a vulnerability they’ve called ‘GhostWrite’ that’s caused by a hardware bug in T-Head’s XuanTie C910 and C920 RISC-V CPUs. Vector extensions that are supposed to provide translation of virtual memory addresses to physical addresses don’t work, meaning that an attacker can gain access to the […]
Filed under: InfoQ news, security | Leave a Comment
Tags: fuzzing, GhostWrite, InfoQ, RISC-V, security
What? Let’s get the terminology cleared up. This post is about: None of these things stands alone, they’re all interlinked; and they certainly complement each other – a tripod is more stable than a pole. SBOM My earliest memories of the topic of supply chain security come from conversations with Josh Corman a little while […]
Filed under: security | 3 Comments
Tags: OpenSSF, sbom, scorecard, security, slsa, supply chain
Ross Anderson RIP
I saw the sad news yesterday, via Alec Muffett that Ross Anderson had passed, which is an enormous loss the the IT security community (and the industry more widely). I didn’t know Ross very well, so the obituary from his friend and colleague Prof Bill Buchanan OBE provides a much better summary of his work […]
Filed under: security | 1 Comment
Tags: economics, infosec, RIP, Ross Anderson, security, WEIS
TL;DR OSSF Scorecards provide a visible badge that lets people see that an open source repo is adhering to a set of practices that minimise risks, measured by a set of automated checks. Getting this right for a single repo can be an involved process, but with that experience in hand applying the learning to […]
Filed under: security, software | Leave a Comment
Tags: Allstar, CI, github, OSSF, scorecard, security
TL;DR Bad input validation is the main underlying cause of many application security issues, because we haven’t made it easy enough for developers to implement good input validation. So how about a TypeScript[1] like language to resolve that – ValidScript – a language that makes it easy to do input validation? Background Wendy Nather recently […]
Filed under: code, security, technology | Leave a Comment
Tags: appsec, input validation, javascript, OWASP, security, TypeScript, ValidScript
Andrew “bunnie” Huang recently presented at the 36th Chaos Communication Congress (36C3) on ‘Open Source is Insufficient to Solve Trust Problems in Hardware‘ with an accompanying blog post ‘Can We Build Trustable Hardware?‘. His central point is that Time-of-Check to Time-of-Use (TOCTOU) is very different for hardware versus software, and so open source is less helpful in mitigating […]
Filed under: InfoQ news, security | Leave a Comment
Tags: FPGA, hardware, open source, trust
Policy debt
Background When we talk about technical debt that conversation is usually about old code, or the legacy systems that run it. I’ve observed another type of debt, which comes from policies, and seems to be most harmful in the area of security policies. Firewalls or encryption? A primary purpose for this post is to put […]
Filed under: security | 4 Comments
Tags: change, compliance, culture, debt, encryption, firewalls, passwords, policy
InfoQ – NotPetya Retrospective
As we hit the second anniversary of NotPetya, this retrospective is based on the author’s personal involvement in the post-incident activities. Continue reading the full story at InfoQ.
Filed under: InfoQ news, security | Leave a Comment
Tags: NotPetya, recoverability, zero-trust
Chris Swan's Weblog 