Posts Tagged ‘security’
Don’t huff the fumes
TL;DR Agentic systems are the latest thing being used to solve IT integration issues, becoming the glue squirted into the gaps between systems. But the use of natural language means that the distinction between ‘data’ and ‘code’ is almost impossible to make, which causes a whole raft of security concerns. This new glue may be […]
Filed under: security | Leave a Comment
Tags: agentic, agents, AI, CHERI, glue, integration, middleware, security
TL;DR Supply-chain Levels for Software Artifacts (SLSA) attestations are a great way to show that you care about security, and they’re fairly trivial to add to delivery pipelines that produce a single binary or container image. But things get tricky with matrix jobs that build lots of things in parallel, as you then need to […]
Filed under: Dart, Docker, Gemini, howto | Leave a Comment
Tags: AI, ARM, artifact, attestation, CD, container, Cosign, Dart, DevOps, Docker, Gemini, GitHub Actions, image, json, matrix, security, signing, slsa
Security researchers at the CISPA Helmholtz Center for Information Security have discovered a vulnerability they’ve called ‘GhostWrite’ that’s caused by a hardware bug in T-Head’s XuanTie C910 and C920 RISC-V CPUs. Vector extensions that are supposed to provide translation of virtual memory addresses to physical addresses don’t work, meaning that an attacker can gain access to the […]
Filed under: InfoQ news, security | Leave a Comment
Tags: fuzzing, GhostWrite, InfoQ, RISC-V, security
What? Let’s get the terminology cleared up. This post is about: None of these things stands alone, they’re all interlinked; and they certainly complement each other – a tripod is more stable than a pole. SBOM My earliest memories of the topic of supply chain security come from conversations with Josh Corman a little while […]
Filed under: security | 3 Comments
Tags: OpenSSF, sbom, scorecard, security, slsa, supply chain
Ross Anderson RIP
I saw the sad news yesterday, via Alec Muffett that Ross Anderson had passed, which is an enormous loss the the IT security community (and the industry more widely). I didn’t know Ross very well, so the obituary from his friend and colleague Prof Bill Buchanan OBE provides a much better summary of his work […]
Filed under: security | 1 Comment
Tags: economics, infosec, RIP, Ross Anderson, security, WEIS
February 2024
Pupdate It’s been something like the wettest February on record, which has somewhat curtailed long walks :( But the boys have still enjoyed getting out and about even if it’s meant washing their fleece coats every few days to clear off all the mud. State of Open Conference I’ve noticed a bunch of friends getting […]
Filed under: monthly_update | Leave a Comment
Tags: AI, Beat Saber, Bennetts, bubble, dachshund, dentist, home lab, insurance, Linux, motorbike, motorcycle, open source, OpenSSF, pupdate, root canal, security, solar, SOOCon24, Yocto
TL;DR OSSF Scorecards provide a visible badge that lets people see that an open source repo is adhering to a set of practices that minimise risks, measured by a set of automated checks. Getting this right for a single repo can be an involved process, but with that experience in hand applying the learning to […]
Filed under: security, software | Leave a Comment
Tags: Allstar, CI, github, OSSF, scorecard, security
TL;DR Bad input validation is the main underlying cause of many application security issues, because we haven’t made it easy enough for developers to implement good input validation. So how about a TypeScript[1] like language to resolve that – ValidScript – a language that makes it easy to do input validation? Background Wendy Nather recently […]
Filed under: code, security, technology | Leave a Comment
Tags: appsec, input validation, javascript, OWASP, security, TypeScript, ValidScript
Failure of Imagination
The Spectre and Meltdown bugs have been billed as a ‘failure of imagination’, where the hardware designers simply didn’t conceive of the possibility that a performance optimisation might lead to a security vulnerability. I personally find this a little hard to swallow. The very first time I came across side-channel attacks the first thing I though […]
Filed under: security | Leave a Comment
Tags: adversarial techniques, AI, ARM, chicken bits, failure, imagination, Intel, Meltdown, red team, security, side-channel, Spectre
A buffer overflow bug has caused a small number of requests to Cloudflare proxies to leak data from unrelated requests, including potentially sensitive data such as passwords and other secrets. The issue, which has been named ‘Cloudbleed’, was discovered and documented by Google Project Zero vulnerability researcher Tavis Ormandy. After applying fixes and attempting to clean […]
Filed under: cloud, InfoQ news, security | Leave a Comment
Tags: Cloudbleed, CloudFlare, security
Chris Swan's Weblog 