Cyber security is complex. But effective cyber solutions do not need to be complex and very expensive. To avoid misunderstandings: Simplifying your security landscape is not simple at all, but rather means rethinking your strategy and re-prioritizing objectives. More budget and more expensive cyber technology does not help to mitigate your security risks. The best preventive solutions like creating a good security architecture require no complex technology nor expensive maintenance. Try it with open tools.
1. Eliminating Memory Safety Vulnerabilities at the Source
If everyone creates program in Rust a lot of security tools and security professionals will no longer be needed. This 2024 article from Google is a great read. “Fighting against the math of vulnerability lifetimes has been a losing battle”
(link)
2. Thanksgiving 2023 security incident
I am no fan of Cloudfare. But this is a nice writeup and gives some openness on how Cloudfare handles security incidents. Valuable lessons, not only for Cloudfare!
(link)
3. Cybersecurity Misconfigurations
Simple lists with checklists do work. OWASP is famous for its top 10 lists.Knowing what common mistakes are, is input to do it better. This is a great 10 most common network misconfigurations list created by NIST.
(link)
4. PHP Core Security Audit Results
A good way to figure out if you are dealing with good sensible security professionals is to mention the magic word ‘PHP’ or ‘WordPress’. Biased professionals who have never programmed with PHP the latest years or inspected security breaches with WordPress will explode and frame PHP as insecure and immature language. Truth is, PHP and especially WordPress are the most battle tested languages available. But discussing facts and mixing facts with opinions is proven to useless. This report shows great facts considering the status of PHP Security.
(link)
5. New Vulnerability in GitHub Copilot and Cursor
Preventing supply chain attacks is proven to be difficult. You need to manage and control the complete Development process. Having a SBOM(software bill of materials) will not make you more secure! And using AI agents have an impact on security. And not positive. Using AI will not mean your code is good and secure. Often the opposite.
(link)
6. The Chromium Security Paradox
Chromium’s developers and security experts are at the forefront of tackling complex security challenges. This is a nice article to learn more about the Chromium Threat model and security challenges.
(link)
7. Does Functional Package Management Enable Reproducible Builds at Scale? Yes.
This is not an easy read. But reading this article is great for learning more about the Reproducible builds project and why it works.
(link)
8. Passkeys Are Vendor Lock-in and Imperialism, Not Security, So Escape Them Before They Latch Onto Your Workflows
When Google, Microsoft and a lot of other B*G-Tech companies promote Passkeys, you know it is not done to protect your security and privacy.
(link)
9. A secure, account-free way to share .env files with E2E encryption
When I see articles like this, I am curious. How does it work? After a quick scan my preliminary advice is: Never ever use such a solution. All your secretes will be stolen or sold sooner or later. Or maybe this service is setup to steal your secrets instead of protecting them? Trust is everything. End-to-end encryption without openness and full transparency is just marketing!
(link)
Our partners:
The Open Security newsletter is an overview of cyber security news with a core focus on openness. Pointing out what went wrong after a cyber security breach is easy. Designing good and simple measurements is hard. So join the open Security Reference Architecture collaboration project to create better solutions together. Or become a partner to support this project. Use our RSS or ATOM feed to follow Open Security News.