Posts Tagged ‘security’
TL;DR OSSF Scorecards provide a visible badge that lets people see that an open source repo is adhering to a set of practices that minimise risks, measured by a set of automated checks. Getting this right for a single repo can be an involved process, but with that experience in hand applying the learning to […]
Filed under: security, software | Leave a Comment
Tags: Allstar, CI, github, OSSF, scorecard, security
TL;DR Bad input validation is the main underlying cause of many application security issues, because we haven’t made it easy enough for developers to implement good input validation. So how about a TypeScript[1] like language to resolve that – ValidScript – a language that makes it easy to do input validation? Background Wendy Nather recently […]
Filed under: code, security, technology | Leave a Comment
Tags: appsec, input validation, javascript, OWASP, security, TypeScript, ValidScript
Failure of Imagination
The Spectre and Meltdown bugs have been billed as a ‘failure of imagination’, where the hardware designers simply didn’t conceive of the possibility that a performance optimisation might lead to a security vulnerability. I personally find this a little hard to swallow. The very first time I came across side-channel attacks the first thing I though […]
Filed under: security | Leave a Comment
Tags: adversarial techniques, AI, ARM, chicken bits, failure, imagination, Intel, Meltdown, red team, security, side-channel, Spectre
A buffer overflow bug has caused a small number of requests to Cloudflare proxies to leak data from unrelated requests, including potentially sensitive data such as passwords and other secrets. The issue, which has been named ‘Cloudbleed’, was discovered and documented by Google Project Zero vulnerability researcher Tavis Ormandy. After applying fixes and attempting to clean […]
Filed under: cloud, InfoQ news, security | Leave a Comment
Tags: Cloudbleed, CloudFlare, security
My Asus Tinker Board arrived yesterday from CPC, and I did a quick tweet with unboxing photos. Having taken it for a quick test drive here are my first impressions based on running up their Debian image[1] (I’ve not had the time to try Kodi yet). Reassuringly expensive The Tinker Board is £55, which is […]
Filed under: Raspberry Pi, Tinker Board | 4 Comments
Tags: Asus, board, image, RPi, security, Tinker
Filed under: presentation, security | Leave a Comment
Tags: API, certificates, containers, DevOps, devsecops, Docker, scale, secdevops, security
InfoQ – Docker Security Scanning
Docker Inc have announced general availability of Docker Security Scanning, which was previously known as Project Nautilus. The release comes alongside an update to the CIS Docker Security Benchmark to bring it in line with Docker 1.11.0, and an updated Docker Bench tool for checking that host and daemon configuration match security benchmark recommendations. continue […]
Filed under: Docker, InfoQ news | Leave a Comment
Tags: Docker, security
Twistlock have announced the general availability of their Container Security Suite, along with a partnership with Google Cloud Platform that integrates Twistlock into Google Container Engine (GKE). The suite consists of a console to define policy, a registry scanner and a ‘Defender’that runs as a privileged container on each host. The suite connects to Twistlock’s […]
Filed under: cloud, Docker, InfoQ news, security | Leave a Comment
Tags: cloud, containers, Docker, google, security, Twistlock
Docker inc. have announced the release of Docker 1.8, which brings with it some new and updated tools in addition to new engine features. Docker Toolbox provides a packaged system aiming to be, ‘the fastest way to get up and running with a Docker development environment’, and replaces Boot2Docker. The most significant change to Docker Engine […]
Filed under: Docker, InfoQ news, security | Leave a Comment
Tags: content trust, Docker, InfoQ, security, toolbox
A friend emailed me yesterday saying he was ‘trying to be better informed on security topics’ and asking for suggestions on blogs etc. Here’s my reply… For security stuff first read (or at least skim) Ross Anderson’s Security Engineering (UK|US) – it’s basically the bible for infosec. Don’t be scared that it’s now seven years old […]
Filed under: security | 3 Comments
Tags: security
Chris Swan's Weblog 