security

Since I just completed Developing Secure Software and got my certificate, I’ve been paying more attention to the security aspects of the process of developing software. This article about npm and PyPi security caught my eye. The article describes a paper that evaluates the security practices for these widely used software repositories and finds them lacking. They do follow many of the best practices but fall short on some others. The number of packages that were found to have vulnerable patterns is less than 1%, but that doesn’t help you if you use one and get attacked.

I just finished the Developing Secure Software course from The Linux Foundation. It was a solid introduction to the basics of developing more secure software. It features a good overview of the tools and techniques that can be applied during all phases of the software development lifeycle. I had a solid understanding of some of the material (e.g., cryptography and GDPR) but it was a good refresher on those topics and got me thinking much more about the process of designing and developing secure software in general.

FOSDEM has many interesting presentations. I watched this interesting and informative session by Sanja Bonic and Janos Pasztor that discussed using ContainerSSH to create a honeypot to observe system attackers. I’d not heard of ContainerSSH before and it’s a really interesting tool that creates a container and connects an SSH user to it. The honeypot example was a nice illustration of what you can do with it but there are some other interesting use cases as well for eduction and ephemeral system provisioning.