Security Icon

Security

InfoSec, DevSec, Penetration Testing, etc.
232 Stories
All Topics

Julie Qiu go.dev

Vulnerability management for Go

Julie Qiu, announcing Go’s new support for vulnerability management:

Go provides tooling to analyze your codebase and surface known vulnerabilities. This tooling is backed by the Go vulnerability database, which is curated by the Go security team. Go’s tooling reduces noise in your results by only surfacing vulnerabilities in functions that your code is actually calling.

There’s a new govulncheck command you can/should install and run against your project. It surfaces only the vulnerabilities that actually affect you, which is awesome.

Govulncheck is a standalone tool to allow frequent updates and rapid iteration while we gather feedback from users. In the long term, we plan to integrate the govulncheck tool into the main Go distribution.

iOS krausefx.com

See what JS commands get injected through an in-app browser on iOS

Felix Krause built an iOS browser app that lists the JavaScript commands executed by the iOS app rendering the page. Use it like this:

  1. Open an app you want to analyze
  2. Share the URL somewhere inside the app (e.g. send a DM to a friend, or post to your feed)
  3. Tap on the link inside the app to open it
  4. Read the report on the screen

His findings after using this for a bit are… concerning. Especially TikTok.

Awesome Lists github.com

A powerful open source toolkit for hackers & security automation

Scanners Box also known as scanbox, is a powerful hacker toolkit, which has collected more than 10 categories of open source scanners from Github, including subdomain, database, middleware and other modular design scanner etc. But for other Well-known scanning tools, such as nmap, w3af, brakeman, arachni, nikto, metasploit, aircrack-ng will not be included in the scope of collection.

Toolkit might be a bit misleading. I was imagning some kind of Docker container or Linux distro with all the tools baked in. This is more of a collection of tools (which is why we applied the Awesome topic to it) that you can pick and choose from. Nice collection, though!

Apple apple.com

Apple adds a Lockdown Mode for "extreme protection"

Lockdown Mode is the first major capability of its kind designed to offer an extreme, optional protection for the very small number of users who face grave, targeted threats to their digital security.

It blocks non-image attachment types in Messages, disables JIT compilation in Safari, blocks incoming FaceTime calls from unknown senders, won’t let the phone connect to a computer via a wired connection, and disables the ability to install new configuration profiles.

Ship It! Ship It! #58

How to keep a secret

Rob Barnes (a.k.a. Devops Rob) and Rosemary Wang (author of Infrastructure as Code - Patterns & Practices) are joining us today to talk about infrastructure secrets.

What do Rosemary and Rob think about committing encrypted secrets into a repository? How do they suggest that we improve on storing secrets in LastPass? And if we were to choose HashiCorp Vault, what do we need to know?

Thank you Thomas Eckert for the intro. Thank you Nabeel Sulieman (ep. 46) & Kelsey Hightower (ep. 44) for your gentle nudges towards improving our infra secrets management.

Security github.com

Chain-bench – a tool for auditing your software supply chain

Chain-bench is an open source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.

You can run the tool from a CLI, assuming your code is hosted on GitHub (more SCM hosts coming soon):

chain-bench scan --repository-url <REPOSITORY_URL> --access-token <TOKEN> -o <OUTPUT_PATH>

I couldn’t find a comprehensive list of what checks are in the benchmark, but it appears they are referring to this guide. You can see what an example run’s results like like in the README.

Security github.com

The Deepfake Offensive Toolkit

dot (aka Deepfake Offensive Toolkit) makes real-time, controllable deepfakes ready for virtual cameras injection. dot is created for performing penetration testing against e.g. identity verification and video conferencing systems, for the use by security analysts, Red Team members, and biometrics researchers.

What’s crazy is dot deepfakes don’t require any additional training. 🤯

The Deepfake Offensive Toolkit

Startups kenkantzer.com

Learnings from 5 years of tech startup code audits

Ken Kantzer was part of ~20 code audits of companies that had just raised their A or B rounds of funding:

It was fascinating work – we dove deep on a great cross-section of stacks and architectures, across a wide variety of domains. We found all sorts of security issues, ranging from catastrophic to just plain interesting. And we also had a chance to chat with senior engineering leadership and CTOs more generally about the engineering and product challenges they were facing as they were just starting to scale.

In this post he shares some of the more surprising things he’s learned from the experience. There’s a lot to digest in this post, but I’ll highlight my favorite to whet your whistle:

Simple Outperformed Smart. As a self-admitted elitist, it pains me to say this, but it’s true: the startups we audited that are now doing the best usually had an almost brazenly ‘Keep It Simple’ approach to engineering. Cleverness for cleverness sake was abhorred. On the flip side, the companies where we were like ”woah, these folks are smart as hell” for the most part kind of faded.

The Changelog The Changelog #490

Schneier on security for tomorrow’s software

This week we’re talking with Bruce Schneier — cryptographer, computer security professional, privacy specialist, and writer (of many books). He calls himself a “public-interest technologist”, a term he coined himself, and works at the intersection of security, technology, and people.

Bruce has been writing about security issues on his blog since 2004, his monthly newsletter has been going since 1998, he’s a fellow and lecturer at Harvard’s Kennedy School, a board member of the EFF, and the Chief of Security Architecture at Inrupt. Long story short, Bruce has credentials to back up his opinions and on today’s show we dig into the state of cyber-security, security and privacy best practices, his thoughts on Bitcoin (and other crypto-currencies), Tim Berners-Lee’s Solid project, and of course we asked Bruce to share his advice for today’s developers building the software systems of tomorrow.

Ship It! Ship It! #53

Securing K8s releases (KubeCon EU 2022)

Today we are at KubeCon CloudNativeCon EU 2022, talking to Adolfo García Veytia about securing Kubernetes releases. Adolfo is a Staff Software Engineer at Chainguard, and one of the technical leads for SIG release, meaning that he helps ship Kubernetes. You most likely know him as Puerco, and have seen first-hand his passion for securing software via SBOMs, cosign and SLSA. Puerco’s love for bikes and Chainguard are a great match 🚴‍♂️

The GitHub Blog Icon The GitHub Blog

GitHub will require 2FA by the end of 2023

Mike Hanley on GitHub’s blog:

The software supply chain starts with the developer. Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain…

Today, as part of a platform-wide effort to secure the software ecosystem through improving account security, we’re announcing that GitHub will require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023.

This is a big step in the right direction and their new(ish) 2FA for GitHub Mobile feature helps make the burden not as cumbersome as it might be otherwise.

Ship It! Ship It! #46

A simpler alternative to cert-manager

Nabeel Sulieman, Senior Software Engineer at Vercel, talks about KCert, a simpler alternative to cert-manager that he built. Gerhard tried it out, and he thinks that Nabeel is onto something. If you want to see the video that they recorded, ping us on Twitter or Slack.

We love this story, especially the long-term approach of working on something that one truly believes in, and the only reason is because it’s fun. The world needs more people like Nabeel, and we hope that this episode inspires you to go all out, and do just that.

Security trickster.dev

Decrypting your own HTTPS traffic with Wireshark

Wireshark is a seriously cool piece of software for packet sniffing and analysis. Why might you want to use it on yourself?

This opens up possibilities to not only reverse engineer web app private APIs in a deeper way, but also to do the same kind of research against desktop apps for purposes such as data scraping, automation, vulnerability research and privacy analysis.

The Changelog The Changelog #482

Securing the open source supply chain

This week we’re joined by the “mad scientist” himself, Feross Aboukhadijeh…and we’re talking about the launch of Socket — the next big thing in the fight to secure and protect the open source supply chain.

While working on the frontlines of open source, Feross and team have witnessed firsthand how supply chain attacks have swept across the software community and have damaged the trust in open source. Socket turns the problem of securing open source software on its head, and asks…“What if we assume all open source may be malicious?” So, they built a system that proactively detects indicators of compromised open source packages and brings awareness to teams in real-time. We cover the whys, the hows, and what’s next for this ambitious and very much needed project.

JS Party JS Party #210

What's in your package.json?

Tobie Langel, Open source strategist and Principal at UnlockOpen, joins Chris, Feross, and Amal to discuss recent widespread incidents affecting the JavaScript community (and breaking CI builds) around the globe. Two widely used npm libraries were self-sabotaged by their single maintainer, yet again, highlighting the many gaps in our OSS supply chain security, sustainability and overall practices. We explore all these topics and solution on what our ecosystem needs to be more resilient to these types of attacks in the future.

0:00 / 0:00