3 ways to meet compliance needs without slowing down agility
Learn how to enable developer productivity and collaboration while staying secure and compliant. Stay compliant without slowing down your business. From security to CI/CD, automate every step of your software workflow—so your developers can stay focused on what matters most: building. ⌘ Read more
The code that wasn’t there: Reading memory on an Android device by accident
CVE-2022-25664, a vulnerability in the Qualcomm Adreno GPU, can be used to leak large amounts of information to a malicious Android application. Learn more about how the vulnerability can be used to leak information in both the user space and kernel space level of pages, and how the GitHub Security Lab used the kernel space information leak to construct a KASLR bypass. ⌘ Read more
Secure Your Kubernetes Clusters with the Kubescape Docker Extension
Find out how to use the Kubescape Docker Extension for Kubernetes cluster security right from Docker Desktop. ⌘ Read more
JMP: SMS Account Verification
Some apps and services (but not JMP!) require an SMS verification code in order to create a new account. (Note that this is different from using SMS for authentication; which is a bad idea since SMS can be easily intercepted, are not encrypted in transit, and are v … ⌘ Read more
5 Developer Workstation Security Best Practices
Learn how Hardened Docker Desktop can help you follow the five most critical developer workstation security best practices. ⌘ Read more
Omniknot
⌘ Read more
Omniknot
⌘ Read more
Git security vulnerabilities announced
Git users are encouraged to upgrade to the latest version, especially if they use `git apply` or `git clone` against untrusted patches or repositories. ⌘ Read more
Dino: Dino 0.4 Release
Dino is a secure and open-source messaging application.
It uses the XMPP (Jabber) protocol for decentralized communication.
We aim to provide an intuitive and enjoyable user interface.
The 0.4 release adds support for message reactions and replies. We also switched from GTK3 to GTK4 and make use of libadwaita now.
Reactions and RepliesReactions give you a quick and light-weight way to respond to a message with an emoji.
They … ⌘ Read more
How to mitigate OWASP vulnerabilities while staying in the flow
Explore how GitHub Advanced Security can help address several of the OWASP Top 10 vulnerabilities ⌘ Read more
R to @mind_booster: I’ll gladly explain it to them as soon as they make available information about their security updates policies. 2/2
I’ll gladly explain it to them as soon as they make available information about their security updates policies. 2/2 ⌘ Read more
Pwning the all Google phone with a non-Google bug
It turns out that the first “all Google” phone includes a non-Google bug. Learn about the details of CVE-2022-38181, a vulnerability in the Arm Mali GPU. Join me on my journey through reporting the vulnerability to the Android security team, and the exploit that used this vulnerability to gain arbitrary kernel code execution and root on a Pixel 6 from an Android app. ⌘ Read more
Unlocking security updates for transitive dependencies with npm
How Dependabot integrated with npm to address security vulnerabilities on transitive dependencies and increase the likelihood of success for JavaScript security updates by 40%. ⌘ Read more
Git security vulnerabilities announced
Git users are encouraged to upgrade to the latest version, especially if they use `git archive`, work in untrusted repositories, or use Git GUI on Windows. ⌘ Read more
@abucci@anthony.buc.ci ISO 27001 is basically the same. It means that there is management sign off for a process to improve security is in place. Not that the system is secure. And ITIL is that managment signs off that problems and incidents should have processes defined.
Though its a good mess of words you can throw around while saying “management supports this so X needs to get done”
Passwordless deployments to the cloud
Discovering passwords in our codebase is probably one of our worst fears. But what if you didn’t need passwords at all, and could deploy to your cloud provider another way? In this post, we explore how you can use OpenID Connect to trust your cloud provider, enabling you to deploy easily, securely and safely, while minimizing the operational overhead associated with secrets (for example, key rotations). ⌘ Read more
Introducing required workflows and configuration variables to GitHub Actions
Now, you can standardize and enforce CI/CD best practices across all repositories in your organization to reduce duplication and secure your DevOps processes. ⌘ Read more
GitHub’s top 10 blog posts of 2022
As the year winds down, we’re highlighting some of the incredible work from GitHub’s engineers, product teams, and security researchers. ⌘ Read more
Increase developer productivity, save time on developer onboarding, and drive ROI in 2023
Forrester’s Total Economic Impact™ study dives into how GitHub Enterprise Cloud and GitHub Advanced Security help businesses drive ROI, increase developer productivity, and save time on developer onboarding. ⌘ Read more
How we use GitHub to be more productive, collaborative, and secure
Our engineering and security teams have done some incredible work in 2022. Let’s take a look at how we use GitHub to be more productive, build collaboratively, and shift security left. ⌘ Read more
↳
In-reply-to
»
A little late night visitor. Media
⤋ Read More
@prologic@twtxt.net @justamoment@twtxt.net Yep, my back yard security cam. And my poor weather station buried in the snow.
GitHub Advanced Security customers can now push protect their custom patterns
With just one click, admins in GitHub Advanced Security organizations can protect their custom patterns on push. ⌘ Read more
Raising the bar for software security: next steps for GitHub.com 2FA
GitHub will require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023. Learn more about our approach, when we’ll begin our rollout, and what you can expect as we begin requiring 2FA. ⌘ Read more
Snikket: F-Droid security update
Last week, Snikket Android users who installed the Snikket app via F-Droid
started receiving a warning that it contained a
security vulnerability. This wasn’t entirely accurate, as the problem wasn’t
with the Snikket app itself but specifically F-Droid’s own build of the app
that was using an outdated version of the WebRTC library.
Like many communication apps, Snikket uses WebRTC for audio and video calls.
We’ve been working on finding a … ⌘ Read more
@lyse@lyse.isobeef.org anyone willing to copy/paste security related things without understanding are gonna have a bad time.
Snikket: Notes on the F-Droid security warning
Snikket Android users who installed the app via F-Droid may receive a warning
from F-Droid telling them that the app has a vulnerability and that they
“recommend uninstalling immediately”. First of all - don’t panic! This is a
over-simplified generic warning that is scary, but the actual situation is
not quite so scary and has an explanation. Here goes…
When an app is developed and ready for release, it must be compiled and built,
to produce the fina … ⌘ Read more
↳
In-reply-to
»
I made a thing. Its a multi password type checker. Using the PHC string format we can identify a password hashing format from the prefix
⤋ Read More
$name$ and then dispatch the hashing or checking to its specific format.
Circling back to the IsPreferred method. A hasher can define its own IsPreferred method that will be called to check if the current hash meets the complexity requirements. This is good for updating the password hashes to be more secure over time.
func (p *Passwd) IsPreferred(hash string) bool {
_, algo := p.getAlgo(hash)
if algo != nil && algo == p.d {
// if the algorithm defines its own check for preference.
if ck, ok := algo.(interface{ IsPreferred(string) bool }); ok {
return ck.IsPreferred(hash)
}
return true
}
return false
}
https://github.com/sour-is/go-passwd/blob/main/passwd.go#L62-L74
example: https://github.com/sour-is/go-passwd/blob/main/pkg/argon2/argon2.go#L104-L133
↳
In-reply-to
»
I made a thing. Its a multi password type checker. Using the PHC string format we can identify a password hashing format from the prefix
⤋ Read More
$name$ and then dispatch the hashing or checking to its specific format.
Here is an example of usage:
func Example() {
pass := "my_pass"
hash := "my_pass"
pwd := passwd.New(
&unix.MD5{}, // first is preferred type.
&plainPasswd{},
)
_, err := pwd.Passwd(pass, hash)
if err != nil {
fmt.Println("fail: ", err)
}
// Check if we want to update.
if !pwd.IsPreferred(hash) {
newHash, err := pwd.Passwd(pass, "")
if err != nil {
fmt.Println("fail: ", err)
}
fmt.Println("new hash:", newHash)
}
// Output:
// new hash: $1$81ed91e1131a3a5a50d8a68e8ef85fa0
}
This shows how one would set a preferred hashing type and if the current version of ones password is not the preferred type updates it to enhance the security of the hashed password when someone logs in.
https://github.com/sour-is/go-passwd/blob/main/passwd_test.go#L33-L59
New npm features for secure publishing and safe consumption
Now you can create tokens with fine-grained permissions for automating your publishing and organization management workflows. And a new code explorer allows you to view content of a package directly in the npm portal. ⌘ Read more
Ignite Realtime Blog: Denial of Service Vulnerability in Smack 4.4 if XMPPTCPConnection is used with StAX
The fantastic folks behind Jitsi have discovered a Denial of Service (DoS) vulnerability in Smack ( JSA-2022-0002, [JSA-2022-0003](https://github.com/jitsi/security-advisories/blob/master/advisories/JSA-2022-00 … ⌘ Read more
How empowering developers helps teams ship secure software faster
AppSec expert Niroshan Rajadurai says putting developers at the center of everything will enable you to meet your security goals. ⌘ Read more
An enterprise account is coming to all Enterprise customers
Administrators, or enterprise owners, have the increased responsibility of managing their account and keeping it secure. We are excited to introduce what is new with enterprise accounts and what is coming soon. ⌘ Read more
NixOS 22.11 released
Hey everyone, we are Martin Weinelt and Janne Heß,
the release managers for this stable release and we are very proud to announce the public availability of NixOS 22.11 “Raccoon”.
This release will receive bugfixes and security updates for seven months (up until 2023-06-30).
… ⌘ Read more
How Rapid7 Reduced Setup Time From Days to Minutes With Docker
Learn how Rapid7 — a security analytics and automations provider — used Docker to streamline developer onboarding through containerization. ⌘ Read more
GoCoverStats v0.0.5 is a security release #test #testing href=”https://we.loveprivacy.club/search?q=%23security”>#security**
The gocoverstats package just got a v0.0.5 security release on its golang.org dependencies and a minor change:
- golang.org/x/tools upgraded from v0.1.10 to v0.2 (security release on tools/crypto)
- github.com/google/go-cmp upgraded from 0.5.8 to 0.5.9 (test dependency non-security release)
One clarification about the default build is that, since it requires at least Go 1.18, paths and symbols are trimmed in the compiled output.
1 points poste … ⌘ Read more
New in Docker Desktop 4.14: Greater Visibility Into Your Containers
Docker Desktop 4.14 brings new functionality directly into your workstations, specifically focused on providing better visibility into your container’s productivity and security. ⌘ Read more
The importance of improving supply chain security in open source
We think a lot about a high-profile supply chain attack that might cause developers, teams, and organizations to lose trust in open source. That’s why we’re investing in new ways to protect the open source ecosystem. ⌘ Read more
GitHub Enterprise Server 3.7 is now generally available
GitHub Enterprise Server 3.7 is available now, including a single view of code risk, new forking and repository policies, and security enhancements to the management console. ⌘ Read more
How to mitigate OWASP vulnerabilities while staying in the flow
Explore how GitHub Advanced Security can help address several of the OWASP Top 10 vulnerabilities ⌘ Read more
RT by @mind_booster: Great news from Austria!🥳 Other Member States must follow their lead and ensure that the CSA Regulation is rejected. We analyse the CSAR and propose solutions to protect children (and everyone else) here 👉 https://edri.org/our-work/a-safe-internet-for-all-upholding-private-and-secure-communications/
Great news from Austria!🥳 Other Member States must follow their lead and ensure that the CSA Regulation is rejected. We analyse the CSAR and propose solutions to protect children (and every … ⌘ Read more
Creating a more inclusive security research field
A glimpse into the backgrounds and day-to-day work of several GitHub employees in cybersecurity roles. ⌘ Read more
JMP: SMS Account Verification
Some apps and services (but not JMP!) require an SMS verification code in order to create a new account. (Note that this is different from using SMS for authentication; which is a bad idea since SMS can be easily intercepted, are not encrypted in transit, and are v … ⌘ Read more
Cybersecurity spotlight on bug bounty researcher @ahacker1
As we wrap up Cybersecurity Awareness Month, the GitHub bug bounty team is excited to spotlight one of the security researchers who participates in the GitHub Security Bug Bounty Program. ⌘ Read more
Security Advisory: Critical OpenSSL Vulnerability
The OpenSSL Project will imminently release a security fix (OpenSSL version 3.0.7) for a new-and-disclosed CVE. In the meantime, learn how Docker tooling helps you uncover and remediate image vulnerabilities. ⌘ Read more
What we learned from the Security Lab’s Community Office Hours
TheGitHub Security Lab provided office hours for open source projects looking to improve their security posture and reduce the risk of breach. Here’s what we learned and how you can also participate. ⌘ Read more
Resolve Vulnerabilities Sooner With Contextual Data
OpenSSL 3.0.7 and “Text4Shell” might be the most recent critical vulnerabilities to plague your development team, but they won’t be the last. In 2021, critical vulnerabilities reached a record high. Attackers are even reusing their work, with over 50% of zero-day attacks this year being variants of previously-patched vulnerabilities. With each new security vulnerability, we’re […] ⌘ Read more
Why we’re excited about the Sigstore general availability
The Sigstore GA means you can protect your software supply chain today with GitHub Actions, and will power new npm security capabilities in the near future. ⌘ Read more
IziDIC v0.0.2 : new features and QA #dependencyinjection href=”https://we.loveprivacy.club/search?q=%23releases”>#releases**
The tiny fgm/izidic dependency injection container just got a new release: v0.0.2 contains new features and QA improvements.
- feature: new method Container.Names to list container keys
- feature: circular dependency detection, avoiding stack overflows
- qa: moved to new domain github.com/fgm/izidic to support Github actions
- qa: added linting checks: gofmt, go vet, staticcheck
- qa: added security scanning: CodeQL
- … ⌘ Read more
Security Advisory: CVE-2022-42889 “Text4Shell”
Learn more about the CVE-2022-42889, aka “Text4Shell” vulnerability in the “Apache Commons Text” Java library — and how Docker Security Scans identify it. ⌘ Read more
Git security vulnerabilities announced
Upgrade your local installation of Git, especially when cloning with –recurse-submodules from untrusted repositories, or if you use git shell interactive mode. ⌘ Read more