Archive for the ‘security’ Category

TL;DR OSSF Scorecards provide a visible badge that lets people see that an open source repo is adhering to a set of practices that minimise risks, measured by a set of automated checks. Getting this right for a single repo can be an involved process, but with that experience in hand applying the learning to […]

TL;DR Bad input validation is the main underlying cause of many application security issues, because we haven’t made it easy enough for developers to implement good input validation. So how about a TypeScript[1] like language to resolve that – ValidScript – a language that makes it easy to do input validation? Background Wendy Nather recently […]

Andrew “bunnie” Huang recently presented at the 36th Chaos Communication Congress (36C3) on ‘Open Source is Insufficient to Solve Trust Problems in Hardware‘ with an accompanying blog post ‘Can We Build Trustable Hardware?‘. His central point is that Time-of-Check to Time-of-Use (TOCTOU) is very different for hardware versus software, and so open source is less helpful in mitigating […]

Policy debt


Background When we talk about technical debt that conversation is usually about old code, or the legacy systems that run it. I’ve observed another type of debt, which comes from policies, and seems to be most harmful in the area of security policies. Firewalls or encryption? A primary purpose for this post is to put […]

As we hit the second anniversary of NotPetya, this retrospective is based on the author’s personal involvement in the post-incident activities. Continue reading the full story at InfoQ.

The Spectre and Meltdown bugs have been billed as a ‘failure of imagination’, where the hardware designers simply didn’t conceive of the possibility that a performance optimisation might lead to a security vulnerability. I personally find this a little hard to swallow. The very first time I came across side-channel attacks the first thing I though […]

This is a follow up to ‘Meltdown and Spectre: What They Are and How to Deal with Them‘ taking a deeper look at: the characteristics of the vulnerability and potential attacks, why its necessary to patch cloud virtual machines even though the cloud service providers have already applied patches, the nature of the performance impact […]

A buffer overflow bug has caused a small number of requests to Cloudflare proxies to leak data from unrelated requests, including potentially sensitive data such as passwords and other secrets. The issue, which has been named ‘Cloudbleed’, was discovered and documented by Google Project Zero vulnerability researcher Tavis Ormandy. After applying fixes and attempting to clean […]

TL;DR Many SSDs are also Self Encrypting Drives (SEDs) they just need a few bits flipped to make them work. As the SSDs use encryption under the hood anyway there’s no performance overhead. Background This is something of an almanac post after a couple of days of prodding around the topic of PC device encryption. […]