Archive for the ‘security’ Category
Ross Anderson RIP
I saw the sad news yesterday, via Alec Muffett that Ross Anderson had passed, which is an enormous loss the the IT security community (and the industry more widely). I didn’t know Ross very well, so the obituary from his friend and colleague Prof Bill Buchanan OBE provides a much better summary of his work […]
Filed under: security | 1 Comment
Tags: economics, infosec, RIP, Ross Anderson, security, WEIS
TL;DR OSSF Scorecards provide a visible badge that lets people see that an open source repo is adhering to a set of practices that minimise risks, measured by a set of automated checks. Getting this right for a single repo can be an involved process, but with that experience in hand applying the learning to […]
Filed under: security, software | Leave a Comment
Tags: Allstar, CI, github, OSSF, scorecard, security
TL;DR Bad input validation is the main underlying cause of many application security issues, because we haven’t made it easy enough for developers to implement good input validation. So how about a TypeScript[1] like language to resolve that – ValidScript – a language that makes it easy to do input validation? Background Wendy Nather recently […]
Filed under: code, security, technology | Leave a Comment
Tags: appsec, input validation, javascript, OWASP, security, TypeScript, ValidScript
Andrew “bunnie” Huang recently presented at the 36th Chaos Communication Congress (36C3) on ‘Open Source is Insufficient to Solve Trust Problems in Hardware‘ with an accompanying blog post ‘Can We Build Trustable Hardware?‘. His central point is that Time-of-Check to Time-of-Use (TOCTOU) is very different for hardware versus software, and so open source is less helpful in mitigating […]
Filed under: InfoQ news, security | Leave a Comment
Tags: FPGA, hardware, open source, trust
Policy debt
Background When we talk about technical debt that conversation is usually about old code, or the legacy systems that run it. I’ve observed another type of debt, which comes from policies, and seems to be most harmful in the area of security policies. Firewalls or encryption? A primary purpose for this post is to put […]
Filed under: security | 4 Comments
Tags: change, compliance, culture, debt, encryption, firewalls, passwords, policy
InfoQ – NotPetya Retrospective
As we hit the second anniversary of NotPetya, this retrospective is based on the author’s personal involvement in the post-incident activities. Continue reading the full story at InfoQ.
Filed under: InfoQ news, security | Leave a Comment
Tags: NotPetya, recoverability, zero-trust
Failure of Imagination
The Spectre and Meltdown bugs have been billed as a ‘failure of imagination’, where the hardware designers simply didn’t conceive of the possibility that a performance optimisation might lead to a security vulnerability. I personally find this a little hard to swallow. The very first time I came across side-channel attacks the first thing I though […]
Filed under: security | Leave a Comment
Tags: adversarial techniques, AI, ARM, chicken bits, failure, imagination, Intel, Meltdown, red team, security, side-channel, Spectre
This is a follow up to ‘Meltdown and Spectre: What They Are and How to Deal with Them‘ taking a deeper look at: the characteristics of the vulnerability and potential attacks, why its necessary to patch cloud virtual machines even though the cloud service providers have already applied patches, the nature of the performance impact […]
Filed under: InfoQ news, security | Leave a Comment
Tags: Meltdown, Spectre
A buffer overflow bug has caused a small number of requests to Cloudflare proxies to leak data from unrelated requests, including potentially sensitive data such as passwords and other secrets. The issue, which has been named ‘Cloudbleed’, was discovered and documented by Google Project Zero vulnerability researcher Tavis Ormandy. After applying fixes and attempting to clean […]
Filed under: cloud, InfoQ news, security | Leave a Comment
Tags: Cloudbleed, CloudFlare, security
Self Encrypting Drives
TL;DR Many SSDs are also Self Encrypting Drives (SEDs) they just need a few bits flipped to make them work. As the SSDs use encryption under the hood anyway there’s no performance overhead. Background This is something of an almanac post after a couple of days of prodding around the topic of PC device encryption. […]
Filed under: security | 3 Comments
Tags: BitLocker, eDrive, encryption, Opal, sed, ssd, TCG
Chris Swan's Weblog 