Security

My principal browser is still Firefox. In some ways, it’s just because it’s different but it also seems to have fewer security and privacy issues than the Chromium Industrial Complex. It’s far from perfect though and a nasty use after free bug was found and fixed this week. It’s somewhat amazing that bugs like this are still found in mature pieces of software, but that is par for the course. It’s easy to forget to set a pointer to NULL after you are done with it and, in a huge codebase, easy to overlook.

Since I just completed Developing Secure Software and got my certificate, I’ve been paying more attention to the security aspects of the process of developing software. This article about npm and PyPi security caught my eye. The article describes a paper that evaluates the security practices for these widely used software repositories and finds them lacking. They do follow many of the best practices but fall short on some others. The number of packages that were found to have vulnerable patterns is less than 1%, but that doesn’t help you if you use one and get attacked.

I just finished the Developing Secure Software course from The Linux Foundation. It was a solid introduction to the basics of developing more secure software. It features a good overview of the tools and techniques that can be applied during all phases of the software development lifeycle. I had a solid understanding of some of the material (e.g., cryptography and GDPR) but it was a good refresher on those topics and got me thinking much more about the process of designing and developing secure software in general.

FOSDEM has many interesting presentations. I watched this interesting and informative session by Sanja Bonic and Janos Pasztor that discussed using ContainerSSH to create a honeypot to observe system attackers. I’d not heard of ContainerSSH before and it’s a really interesting tool that creates a container and connects an SSH user to it. The honeypot example was a nice illustration of what you can do with it but there are some other interesting use cases as well for eduction and ephemeral system provisioning.