As software makers, we face a unique threat model. The computers or accounts we use to develop and deliver software are of more value to an attacker than what ordinary computer users have—cloud service keys can be stolen and used for profit, and the software we ship can be loaded with malware without our knowledge. […]
Binding unescaped HTML or CSS content on a web page is a scary proposition for most web developers. The idea conjures up black-hat hackers attacking your company’s infrastructure and high-visibility hacks. In fact, cross-site scripting vulnerabilities may exist on as many as 70% of all web sites. In this post, I’ll explain what cross-site scripting […]
Security is an important concern for companies that are launching a new web or mobile application. You want to be certain that the integrity of your system and your data are protected against both intentional and casual misuse.
In an era where security breaches seem to be regularly making the news, encryption is a very important topic to understand. It helps protect your data, your interactions, and your access even when attackers make end-runs around software defenses.
First announced almost a month ago, Shellshock continues to endanger un-patched web servers and Linux devices. So what is it? How can you tell if you’re vulnerable? And how can it be addressed? What Is Shellshock? Shellshock is a vulnerability in the bash software program. Bash is a shell, installed to Linux and other operating […]
Security patches for libraries and tools come out quite frequently. Just subscribe to any Linux distribution security list, and you’ll find that security updates are released with astounding frequency, sometimes even daily. Even kernel security updates are fairly common, with two security patches being released for the kernel used by Ubuntu 12.04 LTS in June. […]
As much as I’d like to see a world where PKI is used to secure digital resources, the status quo is a world often secured by passwords. Passwords are hard to remember, and easy to lose. We should use complex, hard-to-guess passwords. We should use separate passwords for every site. We should keep passwords to […]
With the recent Heartbleed fiasco, I found myself frequently generating new SSL keys and certificates for Atomic and our customers. Even though the OpenSSL implementation of the TLS heartbeat protocol was broken, the openssl utility itself is still extremely useful for working with SSL certificates. The number of sub-commands and options for the openssl command […]
This is part of a series on GNU Privacy Guard: Getting Started with GNU Privacy Guard Generating More Secure GPG Keys: Rationale Generating More Secure GPG Keys: A Step-by-Step Guide Using an OpenPGP Smartcard with GnuPG (this post) Recap Picking up where we left off, we’re on a relatively secure (air-gapped) system with a keyring […]
This is part of a series on GNU Privacy Guard: Getting Started with GNU Privacy Guard Generating More Secure GPG Keys: Rationale Generating More Secure GPG Keys: A Step-by-Step Guide (this post) Using an OpenPGP Smartcard with GnuPG In this post, I’ll will cover the generation of a new GPG key and removal of the […]