Open Security News week 5-2023

Threats develop constantly as criminals advance their techniques and new vulnerabilities are discovered every day. Therefore, mitigation measures should be continuously developed and updated. However many organisations are depending too much on vulnerable vendor solutions that over promise but under deliver. Taking simple measures at scale, such as applying a security by design approach for all new projects is often lacking. There are no silver bullets when it comes to cyber security. It’s just doing the hard work. Daily.

1 Web Hackers vs. The Auto Industry: Critical Vulnerabilities

Not a nice story if you have a new car with fancy new software. Vulnerabilities affecting the automotive industry will hit the news more and more. This stories outlines some findings in detail.


2 SaaS should not be the default: Why data breaches signal return to self-hosting

Depending on your age and experience in the industry, the prospect of self-hosted software returning can range from plausible to laughable. The instinct to doubt makes sense – SaaS became the dominant model of software delivery for a variety of valid reasons. But after years of as I call it outsourcing to a black box environment more and more security breaches have been exposed.The big barrier for Cloud hosting was always having uncontrolled security risks and concerns. So is now in 2023 self-hosted software making a comeback? The fairy tale that Saas or Cloud security is always better from a security perspective is and was simple never true.


3 Three Lessons from Threema – Analysis of a Secure Messenger

Most people assume messaging is private and secure. Threema is a Swiss encrypted messaging application. It has more than 10 million users and more than 7000 on-premise customers. It is also used heavily by governments. This research is a must read to keep you focused on vulnerabilities when using encryption. Excellent paper and presented in a nice to read html way too!


4 Business adoption and use of reproducible builds

Reproducible builds (R-Bs) are software engineering practices that reliably create bit-for- bit identical binary executable files from specified source code. There are good engineering reasons to use R-Bs in industrial software development, and the principle of establishing correspondence between source code and binary offers opportunities for the development of further applications. This research paper is a well-documented and insightful read.

This article describes an interview study that focuses on the adoption and uses of of R-Bs in industry – with examples, and some pros and cons.

Of course all information on R-Bs can be found in our Security Reference Architecture.


5 Is it worth encrypting?

Encrypting data is always a good solution. Especially for data at rest. But when decent administration is not idiot proof encryption can mean losing data. This article delves into the question if choosing to encrypt is always the best choice. My too cents: If you are storing private data you should encrypt. Period. But storing encryption keys idiot proof over long periods of time is never simple.


6 Hyundai Head Unit Hacking

I love hacking stories like this. Software in modern cars is vulnerable. But the real bad news is that cyber risks will impact your safety. The risks on software security breaches is mostly low , but the impact is not nice when you are the test dummy in a hacked car. So do not jail break your car software if you are not really sure what you do.


7 A 6 minute introduction to homomorphic encryption

I had to look twice. Yes this is a promotion for a product. But the explaination is imho good and worth sharing here. Fully Homomorphic Encryption is a technology that enables processing data without decrypting it. It is used for Machine Learning application or should be more and more in future. Nice short read!


8 The Mac Malware of 2022

I always smile when nice people with Mac computers say malware does not hit the macOS platform. This story is a collection of proven Mac Malware found in 2022. Security threats are targeting macOS as well as other platforms nowedays. Only advantage of having a Mac is that you do not have to worry about privacy. You have no privacy when using a macOS.


9 The Audit of Git is Complete!

The Open Source Technology Improvement Fund (OSTIF) is thrilled to announce the results of a security audit and threat model for git. Git is the world’s most widely used version control system, and it underpins not only open source, but the vast majority of public and private software development today. To say that git is infrastructure is an understatement, it reaches nearly every corner of software development and touches nearly every product that has software in one way or another.


Our partners:


The Open Security newsletter is an overview of cyber security news with a core focus on openness. Pointing out what went wrong after a cyber security breach is easy. Designing good and simple measurements is hard. So join the open Security Reference Architecture collaboration project to create better solutions together. Or become a partner to support this project. Use our RSS or ATOM feed to follow Open Security News.