A pretty comprehensive introduction into what end-to-end encryption *actually* means in the context of instant messengers (mostly): what data specifically is encrypted where, and what popular misconceptions in this field are routinely used for marketing purposes.
"remote code execution (...) because sprintf is used unsafely"
Fortunately, spread of trojanized packages is limited to newly built applications only because nobody updates NPM libs anyway 🤷♂️
So as long everyone sticks to the tried strategy of "lets hold and wait if others get infected" we don't need any package signatures etc #security
One of my favourite features of Wazuh is command monitoring which, combined with rules, allows creating sophisticated sanity checks on critical infrastructure services. #wazuh #devsecops #security https://krvtz.net/posts/checking-for-critical-failures-with-wazuh.html
Software security scanner market today is now mature enough to have its own jargon, built largely by vendor marketing teams. As such, it's primarily designed to help you get rid of your infosec budget rather than help you design a reasonable security assurance architecture. This is first part of series that looks at SAST and DAST advantages and limitations. #infosec #software #sast #dast #iast #rasp #ssdlc #security https://krvtz.net/posts/making-sense-of-the-sast-dast-iast-rasp-soup-1.html
How Slack's STUN/TURN servers running Coturn were abused and how to fix it?
Experimenting with cool #systemd #linux #security #hardening features and "systemd analyze security" tool https://viewer.scuttlebot.io/%25WNfDjCz6ku1W32nh%2Ff08UAybVq2Sdl2ZwSTlvplwEXE%3D.sha256
My "DevOps guide to the galaxy of self-defending applications" video from Devoxx UA 2019
https://scitech.video/videos/watch/1ef92301-ba0e-49de-bc32-881c8cee7e53 #devops #DevSecOps #docker #Security
Video of my "Top DevOps Security Failures" (DevOps Stage Ukraine 2019)
https://scitech.video/videos/watch/2a754571-5c72-42e6-8fe0-4b71de70674f #devops #security #docker #jenkins
"15.4% of the 1.3 million Android applications we analyzed, contained security-related code snippets from Stack Overflow. Out of these 97.9% contain at least one insecure code snippet." https://www.aisec.fraunhofer.de/en/stackoverflow.html #security #privacy
That's a simple but clever one!
Web servers using nginx and PHP-FPM are vulnerable to this flaw under certain conditions. https://www.tenable.com/blog/cve-2019-11043-vulnerability-in-php-fpm-could-lead-to-remote-code-execution-on-nginx #php #security #exploit
I re-uploaded the "Unicode: The hero or villain? Input Validation of free-form Unicode text in Web Applications " https://scitech.video/videos/watch/38bc6082-c97a-4422-bbb5-5a96d94f8603 as the previous one hiccuped, perhaps due to broken MP4 #owasp #security #unicode
There's a nice #linux tool:
systemd-analyze security SERVICE
It looks at #security and confinement features used by systemd services as documented here https://www.freedesktop.org/software/systemd/man/systemd.exec.html
An example for my radvd.service
Just posted my OWASP 2018 presentation on #peertube: Unicode: The hero or villain? Input Validation of free-form Unicode text in Web Applications https://scitech.video/videos/watch/82f2fd2d-d661-41b9-8352-f0bddfa70b0e #unicode #security
Polish expat into UK. Information security engineer. Caver & cave rescuer (thus the bat). NHS volunteer & blood donor.