How to Use OpenPubkey to SSH Without SSH Keys
Learn how OpenPubkey SSH (OPK SSH) allows you to use your regular email account or SSO to log in and securely connect to an SSH server. ⌘ Read more
GitHub and the Ekoparty 2023 Capture the Flag
The GitHub Security Lab teamed up with Ekoparty once again to create some challenges for its yearly Capture the Flag competition!
The post GitHub and the Ekoparty 2023 Capture the Flag appeared first on The GitHub Blog. ⌘ Read more
Frenemies to friends: Developers and security tools
When socializing a new security tool, it IS possible to build a bottom-up security culture where engineering has a seat at the table. Let’s explore some effective strategies witnessed by the GitHub technical sales team to make this shift successful.
The post Frenemies to friends: Developers and security tools appeared first on [The GitHub Blog](http … ⌘ Read more
5 ways to make your DevSecOps strategy developer-friendly
Developers care about security, but poorly integrated tools and other factors can cause frustration. Here are five best practices to reduce friction.
The post 5 ways to make your DevSecOps strategy developer-friendly appeared first on The GitHub Blog. ⌘ Read more
GitHub’s top blog posts of 2023
As the year winds down, we’re highlighting some of the incredible work from GitHub’s engineers, product teams, and security researchers.
The post GitHub’s top blog posts of 2023 appeared first on The GitHub Blog. ⌘ Read more
How to Use OpenPubkey with GitHub Actions Workloads
Learn how to use OpenPubkey to bind public keys to workload identities using GitHub Actions and Docker. And find out how Docker is using OpenPubkey with GitHub Actions to sign Docker Official Images and improve supply chain security. ⌘ Read more
MacOS Sonoma 14.2.1 Update Released with Bug Fixes
Apple has released macOS Sonoma 14.2.1 as a software update for Mac users running the Sonoma operating system. The update is said to include important bug fixes and security updates, and is therefore recommended for all users to install. Separately, Apple has released iOS 17.2.1 for iPhone, iPadOS 17.2.1 for iPad, iOS 16.7.4 and iPadOS … Read More ⌘ Read more
Using Authenticated Logins for Docker Hub in Google Cloud
Learn four best practices that your teams can implement to maintain a secure and reliable software delivery process with Docker Hub in Google Cloud. With these guidelines, you can leverage the benefits of open source software while safeguarding your development workflow. ⌘ Read more
Securing our home labs: Frigate code review
This blog post describes two linked vulnerabilities found in Frigate, an AI-powered security camera manager, that could have enabled an attacker to silently gain remote code execution.
The post Securing our home labs: Frigate code review appeared first on The GitHub Blog. ⌘ Read more
Access to affordable food needs government intervention, report finds
A year-long parliamentary inquiry focused on the future of Australia’s food security recommends introducing a minister for food among its 35 recommendations to the federal government. ⌘ Read more
From macOS runners to secure deployments, what’s new from GitHub Actions
Read a roundup of the exciting, new innovation coming from GitHub Actions.
The post From macOS runners to secure deployments, what’s new from GitHub Actions appeared first on The GitHub Blog. ⌘ Read more
iOS 17.2 RC Released for Testing, Final Coming Soon
Apple has issued a release candidate (RC) build for iOS 17.2 for iPhone and iPadOS 17.2 for iPad. Release Candidates are typically the last of the beta development cycle, unless some additional significant bug or security issue is found, suggesting that the final version of iOS 17.2 and iPadOS 17.2 will be coming in the … Read More ⌘ Read more
GitHub Enterprise Server 3.11 is now generally available
Customers using GitHub Enterprise Server can gain more insight and understanding into the security of their code.
The post GitHub Enterprise Server 3.11 is now generally available appeared first on The GitHub Blog. ⌘ Read more
Addressing post-quantum cryptography with CodeQL
Learn how researchers and security experts at GitHub, Microsoft, and Santander came together to address the challenges presented by the post-quantum cryptography world.
The post Addressing post-quantum cryptography with CodeQL appeared first on The GitHub Blog. ⌘ Read more
Remote community strives to improve health by growing their own fruit and veg in APY Lands
A Central Australian Aboriginal community hopes to improve the health of residents and increase food security by re-establishing a once plentiful orchard that has fallen into disrepair. ⌘ Read more
iOS 17.1.2 & iPadOS 17.1.2 Released for iPhone & iPad with Security Fixes
iOS 17.1.2 has been released for iPhone users, along with iPadOS 17.1.2 for iPad. The small software update includes security fixes and is recommended for all users to install onto their eligible devices. It is unclear if any bug fixes are included in the release, as none are mentioned in the release notes, which are … [Read More](https://osxdaily.com/2023/11/30/ios-17-1-2-ipados-1 … ⌘ Read more
MacOS Sonoma 14.1.2 Update Released with Security Fixes
macOS Sonoma 14.1.2 update has been released for Mac users running the Sonoma operating system. The software update includes unspecified bug fixes and security enhancements, and is recommended for all Mac users running Sonoma to install. Full release notes are included below. Separately, Apple has also released iOS 17.1.2 update for iPhone, and iPadOS 17.1.2 … [Read More](https://osxdaily.com/2023/11/30/macos-sonoma-14-1-2 … ⌘ Read more
Securing our home labs: Home Assistant code review
The GitHub Security Lab examined the most popular open source software running on our home labs, with the aim of enhancing its security. Here’s what we found and what you can do to better protect your own smart home.
The post Securing our home labs: Home Assistant code review appeared first on The GitHub Blog. ⌘ Read more
NixOS 23.11 released
Hey everyone, we are figsoda and Ryan Lahfa,
the release managers for this stable release and we are very proud to announce the public availability of NixOS 23.11 “Tapir”.
This release will receive bugfixes and security updates for seven months (up until 2024-06-30).
- [Relea … ⌘ Read more
I think I witnessed twice today how someone shop-lifted something from a big department store and ran away with it. One was actually being chased by the shop’s security.
Accelerating Developer Velocity with Microsoft Dev Box and Docker Desktop
We’re pleased to announce our partnership with the Microsoft Dev Box team to streamline developer onboarding, environment set-up, security, and administration with Docker Desktop. ⌘ Read more
Security best practices for authors of GitHub Actions
Improve your GitHub Action’s security posture by securing your source repository, protecting your maintainers, and making it easy to report security incidents.
The post Security best practices for authors of GitHub Actions appeared first on The GitHub Blog. ⌘ Read more
How JW Player Secured 300 Repos in an Hour with Docker Scout
For companies like JW Player, whose core business revolves around streaming, content, and infrastructure, security must be a priority without slowing down delivery or affecting operations. Learn how JW Player uses Docker to help meet such challenges, including how JW Player enabled more than 300 repositories for Docker Scout within just one hour. ⌘ Read more
お知らせ:JPCERT/CC Eyes「RFC 9116「security.txt」の紹介(2022年8月)の続報」 ⌘ Read more
Achieve Security and Compliance Goals with Policy Guardrails in Docker Scout
We show how Docker Scout policies enable teams to identify, prioritize, and fix their software quality issues at the point of creation. ⌘ Read more
Building Trusted Content with GitHub Actions
As part of our continued efforts to improve the security of the software supply chain and increase trust in the container images developers create and use every day, Docker has begun migrating its Docker Official Images (DOI) builds to the GitHub Actions platform. Leveraging the GitHub Actions hosted, ephemeral build platform enables the creation of secure, verifiable images with provenance and SBOM attestations signed using OpenPubkey and the GitHub … ⌘ Read more
Universe 2023: Copilot transforms GitHub into the AI-powered developer platform
GitHub is announcing general availability of GitHub Copilot Chat and previews of the new GitHub Copilot Enterprise offering, new AI-powered security features, and the GitHub Copilot Partner Program.
The post [Universe 2023: Copilot transforms GitHub into the AI-powered developer platform](https://github.blog/2023-11-08-universe-2023-copilot-transforms-github-into-the-ai-powered- … ⌘ Read more
Introducing AI-powered application security testing with GitHub Advanced Security
Learn about how GitHub Advanced Security’s new AI-powered features can help you secure your code more efficiently than ever.
The post Introducing AI-powered application security testing with GitHub Advanced Security appeared first on The GitHub Blog. ⌘ Read more
iOS 17.1.1 Released for iPhone, & iPadOS 17.1.1 for iPad
Apple has released iOS 17.1.1 for iPhone, along with iPadOS 17.1.1 for iPad. The point release updates offer bug fixes and security enhancements, and are therefore recommended for all users to install on their devices. Specifically, iOS 17.1.1 fixes an issue where the Lock Screen Weather widget may not display snow correctly, and an issue … [Read More](https://osxdaily.com/2023/11/07/ios-17-1-1-released-for-iphone-ipad … ⌘ Read more
MacOS Sonoma 14.1.1 Released
Apple has released macOS Sonoma 14.1.1 for Mac users running the Sonoma operating system. The update is said to include bug fixes and security enhancements for Sonoma, though no bugs are specifically mentioned in the release notes, which are included below. Separately, Apple has released iOS 17.1.1 for iPhone, iPadOS 17.1.1 for iPad, watchOS 10.1.1 … Read More ⌘ Read more
MacOS Ventura 13.6.1 and MacOS Monterey 12.7.1 Released
Apple has released MacOS Ventura 13.6.1 and MacOS Monterey 12.7.1 for Mac users who have not yet updated to macOS Sonoma. The macOS software updates include security enhancements, and come alongside Safari 17.1 as well. Separately, macOS Sonoma 14.1 has also been released, alongside iOS 17.1 update to iPhone, iPadOS 17.1 for iPad, iOS 16.7.2, … [Read More](https://osxdaily.com/2023/10/26/macos-ventura-13-6-1-and-macos-mont … ⌘ Read more
iOS 16.7.2, iPadOS 16.7.2, iOS 15.8, & iPadOS 15.8 Released for Older iPhone & iPad Models
Apple has released a series of software updates for older model iPhone and iPad devices, that have either not yet updated to iOS 17 and iPadOS 17, or are not able to run those versions of system software. The updates include important security fixes, and are therefore recommended for all users to install, especially if … [Read More](https://osxdaily.c … ⌘ Read more
iOS 17.1 Update Released for iPhone, & iPadOS 17.1 for iPad
Apple has released iOS 17.1 for iPhone, and iPadOS 17.1 for iPad, as the first major point release updates to the iOS 17 and iPadOS 17 system software versions. iOS 17.1 and iPadOS 17.1 include bug fixes, security enhancements, as well as some new features, like the ability to continue AirDrop transfers over the internet … [Read More](https://osxdaily.com/2023/10/25/ios-17-1-update-released-for-iphone-ipados-17-1 … ⌘ Read more
MacOS Sonoma 14.1 Update Released for Mac
Apple has released MacOS Sonoma 14.1 for Mac users running the Sonoma operating system. The software update includes a handful of bug fixes and security enhancements, but no significant new features are included. Full release notes are included below. Separately, Apple has also released iOS 17.1 for iPhone, iPadOS 17.1 for iPad, updates to watchOS, … Read More ⌘ Read more
OAuth for Browser-Based Apps Draft 15
After a lot of discussion on the mailing list over the last few months, and after some excellent discussions at the OAuth Security Workshop, we’ve been working on revising the draft to provide clearer guidance and clearer discussion of the threats and consequences of the various architectural patterns in the draft. ⌘ Read more
Snikket: On the jabber.ru MITM attack
This post is about a recent security incident on a public XMPP service, which
provides jabber.ru and xmpp.ru. We have received a few questions from Snikket
users about whether they should be concerned about the security of their own
servers (Snikket also uses XMPP).
The good news is that Snikket was not affected by this incident - this was a
targeted attack against the jabber.ru/xmpp.ru service specifically. Later in
the post we’ll share more information about what we’ve done, and … ⌘ Read more
ICYMI: improved C++ vulnerability coverage and CodeQL support for Lombok
The effectiveness of a static application security solution hinges on its ability to provide extensive vulnerability coverage and support for a wide range of languages and frameworks. Today, we’re highlighting two releases that’ll help you discover more vulnerabilities in your codebase, so you can ship more secure software.
The post [ICYMI: improved C++ vulnerability coverage and CodeQL support … ⌘ Read more
Erlang Solutions: Erlang Security Audit
Unlock the Power of Secure Erlang CodeCybersecurity is a non-negotiable aspect of business. The need for robust protection extends to all aspects of your operations, including the security of your Erlang-based code.
At Erlang Solutions, we recognise the vital importance of safeguarding your code from potential vulnerabilities and security threats. We are thrilled to introduce our latest offering – the … ⌘ Read more
5 iCloud Security Features You Should Be Using
iCloud is packed full of features that make using devices in the Apple ecosystem super easy and fluid, but there are some security features and capabilities offered by iCloud that literally everyone should be using because of their added benefits to security, convenience, and capabilities. While it’s generally a good idea to basically use every … Read More ⌘ Read more
Security Advisory: High Severity Curl Vulnerability
The maintainers of curl, the popular command-line tool and library for transferring data with URLs, will release curl 8.4.0 on October 11, 2023. This version will include a fix for two common vulnerabilities and exposures (CVEs), one of which the curl maintainers rate as “HIGH” severity and described as “probably the worst curl security flaw in a long time.” In the meantime, you can prepare ahead of exploitability details being released … ⌘ Read more
3 strategies to expand your threat model and secure your supply chain
How to get the security basics right at your organization.
The post 3 strategies to expand your threat model and secure your supply chain appeared first on The GitHub Blog. ⌘ Read more
Cybersecurity spotlight on bug bounty researcher @inspector-ambitious
For this year’s Cybersecurity Awareness Month, the GitHub bug bounty team is excited to feature another spotlight on a talented security researcher who participates in the GitHub Security Bug Bounty Program—@inspector-ambitious!
The post [Cybersecurity spotlight on bug bounty researcher @inspector-ambitious](https://github.blog/2023-10-02-cybersecurity-spotlight-on-bug-bounty-researcher-inspector-a … ⌘ Read more
GitHub Learning Pathways: Learn from the best
Gain expertise and insights from top organizations through guided tutorials, boosting productivity, enhancing security, and enabling seamless collaboration.
The post GitHub Learning Pathways: Learn from the best appeared first on The GitHub Blog. ⌘ Read more
Changes to How Docker Handles Personal Authentication Tokens
Docker is improving the visibility of Docker Desktop and Hub users’ personal access tokens. Specifically, we are changing how tokens are handled across sessions between the two tools. Learn more about this security improvement. ⌘ Read more
The GitHub Security Lab’s journey to disclosing 500 CVEs in open source projects
The GitHub Security Lab audits open source projects for security vulnerabilities and helps maintainers fix them. Recently, we passed the milestone of 500 CVEs disclosed. Let’s take a trip down memory lane with a review of some noteworthy CVEs!
The post [The GitHub Security Lab’s journey to disclosing 500 CVEs in open source projects](https://github.blog/2023-09-21-the-github-s … ⌘ Read more
Announcing general availability of GitHub Advanced Security for Azure DevOps
GitHub Advanced Security for Azure DevOps is now generally available. Enable secret scanning, dependency scanning, and code scanning on your organization directly in Azure DevOps configuration settings.
The post [Announcing general availability of GitHub Advanced Security for Azure DevOps](https://github.blog/2023-09-20-announcing-general-availability-of-github-advanced-security-for- … ⌘ Read more
How Google Authenticator made one company’s network breach much, much worse | Ars Technica
🤦♂
WHY are these big companies treated as though they are the be all and end all of infosec? These are rookie mistakes Google’s making, at scale.
Unfortunately Google employs dark patterns to convince you to sync your MFA codes to the cloud, and our employee had indeed activated this “feature”. If you install Google Authenticator from the app store directly, and follow the suggested instructions, your MFA codes are by default saved to the cloud. If you want to disable it, there isn’t a clear way to “disable syncing to the cloud”, instead there is just a “unlink Google account” option.
Like, never ever put your multi-factor tokens into a single cloud storage location! The whole point of this being “multi” factor is that there is a separate, independent physical factor involved in the authentication process. If the authenticator app on your phone puts the tokens in the cloud, then it reduces the security that comes from having a second factor. This is basic stuff.
Of course, never ever use Google Authenticator. All it does is generate TOTP and HOTP codes, which you can do with any OTP app, preferably an open source one that’s been vetted.
DockerCon Workshops: What to expect
DockerCon 2023 will be held October 4-5 in Los Angeles. The program is now online so you can plan your experience by day, time, and theme, including AI and Machine Learning, Web Application / Web Development, Building and Deploying Applications, Secure Software Delivery, and Open Source. This year we’re offering talks, workshops, and panel discussions, plus the usual vibrant DIY hallway track. Here’s a preview of what to expect in our workshops. Register now! ⌘ Read more
GitHub Enterprise Server 3.10 is now generally available
Customers using GHES can now ensure secure development is a top priority with enhanced security and compliance controls for their repositories.
The post GitHub Enterprise Server 3.10 is now generally available appeared first on The GitHub Blog. ⌘ Read more
Ignite Realtime Blog: CVE-2023-32315: Openfire vulnerability (update)
A few months ago, we published details about an important security vulnerability in Openfire that is identified as CVE-2023-32315.
To summarize: Openfire’s administrative console (the Admin Console), a web-based application, was found to be vulnerable to a path traversal attack via the setup environ … ⌘ Read more