Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 527
Alerts This Week
Warning Icon 1 527

Stay Ahead With Linux Security News

Filter%20icon Refine news
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security news

We found 65 articles for you...
79

C++ Community Launches Safe C++ Proposal to Enhance Memory Safety

Software development has always presented long-established programming languages with opportunities and challenges, including C++, which has long been a mainstay. However, C++ has come under scrutiny due to memory safety concerns. Because of its robust security features, developers often use Rust as an alternative language. . However, an initiative within the C++ community seeks to address these concerns with its proposal " Safe C++ ," published in the September mailing list of Working Group 21 . This initiative represents a significant movement to strengthen C++ safety features to ensure it remains an invaluable tool for future generations. To help you understand the importance of these recent efforts, I'll explain the proposal and experts' involvement in it, as well as the response of the open-source community to this monumental initiative. Understanding This Proposal At its core, the Safe C++ proposal recognizes Rust's excellent safety model, particularly its ownership and borrowing system. Rust's focus on avoiding memory management errors such as null pointer dereferencing, buffer overflows , and use-after-free vulnerabilities has established itself as an industry standard, earning praise inside and outside its community for this exceptional approach. Adopting these principles within the C++ ecosystem would significantly boost reliability and security, something highlighted in the Safe C++ proposal. Key to this proposal is the Safe Standard Library, which seeks to integrate reliable memory-safe implementations of core data structures and algorithms into the C++ Standard Library. The goal is straightforward: developers can safely reduce memory-related bugs by writing code from its inception. This library serves as the backbone of Safe C++, becoming more secure automatically rather than leaving developers to adopt best practices reactively. Stringent restrictions on unsafe operations further this transition. Safe C++ developers, for instance, are prohibited from performing tasks thatmight lead to unpredictable lifetime, type, and thread safety behaviors. Not only are such tasks discouraged, but they're actively prevented by compiler frontends, statically analyzed in compiler middle ends, or managed via runtime panic/abort mechanisms, ensuring many familiar sources of vulnerabilities are eliminated as soon as they arise. Rust's safety model goes beyond simply restricting usage and introduces novel capabilities. Safe C++ features advanced pattern matching and sophisticated borrow-checking systems that track references to prevent use-after-free bugs. Such improvements promise safer yet more expressive C++ code, leveraging Rust's groundbreaking approaches. Experts' Involvement in This Initiative This proposal showcases its considerable expertise. Founded by Sean Baxter, an accomplished developer with experience at NASA's Jet Propulsion Lab and NVIDIA, and Christian Mazakas, staff engineer for the C++ Alliance, its president, Vinnie Falco, highlighted its importance as a milestone for C++ ecosystem development. Baxter's dedication to evolving the C++ toolchain led him to develop Circle , a new C++ compiler with an integrated Rust-style borrow checker— reflecting his commitment to improving C++ through practical solutions. This historical background proves that his proposal is not an immediate reaction but part of an insightful long-term plan for improving it. Though Safe C++ may seem attractive, one may ask why not simply adopt Rust. The proposal responds by emphasizing the difficulties inherent in transitioning a vast existing codebase and community to a foreign language like Rust. Its unfamiliarity could alienate existing C++ developers, while interoperability tools needed for merging both languages would add additional layers of complexity - something evolving C++ to incorporate some aspects of Rust may help with. In such an approach, evolving C++ to include some of the best features of Rust appears more reasonable and inclusive. Safety issues surroundingprogramming languages have long been the subject of debate. Notable figures like Microsoft Azure CTO Mark Russinovich and government bodies like America's National Security Agency have issued dire warnings of memory safety vulnerabilities. Such warnings have galvanized tech industries to tackle them, making initiatives like Safe C++ timely and essential. Interesting C++ enhancement strategies don't stop with Safe C++ alone. Its creator, Bjarne Stroustrup, has proposed improving it through "profiles," sets of rules enforced by compilers to guarantee various safety properties. Critiques of this approach, like Baxter's paper "Why Safety Profiles Failed," argue that existing efforts have fallen short and that adopting Rust constructs into C++ provides more effective solutions. Examining Community Involvement in the Safe C++ Initiative Community participation is integral to this transformative process. Understanding that collaborative input is crucial, the developers of Safe C++ have sought feedback from a diverse set of stakeholders—including developers, researchers, and industry leaders—on their proposal, resolved outstanding design questions quickly, and created a stable language and standard library within 18 months for mainstream evaluation. This collaborative spirit is further demonstrated through the creation of SafeCPP.org , which serves as a central point for updates and discussions regarding this proposal. Engaging the community this way reflects a dedication to transparency and furthers communal advancement. Community reactions have ranged from enthusiastic support to cautious skepticism. Some developers are passionate about how this initiative could revitalize C++ by directly addressing its drawbacks. Yet, others question if its complexity and scope may present challenges that impede seamless integration as promised by this proposal. What are your thoughts on this proposal? Connect with us @lnxsec , and let's have a discussion! Our Final Thoughts on This Progress TowardSecuring C++ The Safe C++ proposal marks an essential moment in C++ development, seeking to protect it from memory-related bugs by drawing upon Rust's proven safety model. Integrating robust safety features directly into standard libraries and using compiler enforcement for unsafe operations are integral parts of its goal of revolutionizing the C++ safety landscape. Community collaboration will be integral to its success, marking another chapter in C++ history as we move toward modern security standards while honoring the C++ legacy. . However, an initiative within the C++ community seeks to address these concerns with its proposal 'S. software, development, always, presented, long-established, programming, languages, opportunities. . Brittany Day

Calendar%202 Nov 04, 2024 User Avatar Brittany Day Security Projects
209

Enhancing Software Security: The Role of Code Signing Solutions

Code integrity and authenticity are crucial in today's continuous and rapid momentum in software development. This is where code signing becomes highly relevant in dealing with such challenges. As per LinuxSecurity’s Linux news , the critical point behind code signing is using cryptographic signatures, which enable software origin authorization and ensure integrity. . This means developers can prove the authenticity of their software using a code-signing certificate issued by a trusted Certificate Authority, culminating in users' increased confidence and protection against malicious activities. To help you understand how code signing solutions could benefit your development efforts, I’ll explain in more depth what it is, its notable benefits, and the future of code signing heading into 2025. Understanding Code Signing First, to understand why code signing is important, one must know how it works. A developer who signs his code uses a private key; therefore, the unique digital signature has its corresponding public key so that a secure bond will validate certain things about origin and integrity. Certificate Authorities are significant here; they verify the identity of the code-signing source and link it with a code-signing certificate. Under the system of public-private keys, forging such a signature would be very difficult since it can only be signed by its rightful owner. Code signing is not something that can be taken lightly. According to the Cybersecurity and Infrastructure Security Agency, it forms a core component in securing the software supply chain. With the increasing incidence of cyber threats, there is a need to ensure that software is protected from tampering and malicious use. A single compromised piece of software can lead to significant security breaches, translating into loss and damage to reputation. Key Advantages of Code Signing Solutions Code signing solutions offer several notable advantages, including: Code Authentication A significant advantage ofcode signing is the authentication of the code. In other words, signing code provides developers a means of letting users make sure the software they are using is from an authentic source. This applies to our world, where many counterfeit applications pretend to be something else, such as malware masquerading as genuine software. A user will, therefore, view this signature and know whether or not it has been tampered with since its creation. According to an IBM study, human error accounts for 95% of cybersecurity incidents. This raises some very serious reasons why robust security measures, such as code signing, must be in place to ensure that software is authenticated and prevent developers and users from falling foul of malicious downloads and phishing attacks. Software Author Verification Beyond authentication, code signing provides the potential for software author validation. With software author validation, the recipient can validate who the developer or organization behind the software is. A good CA ensures that a developer's identity is checked and attests to the valid public key paired with the code-signing certificate. This instills confidence in users who are uncertain about downloading software from unknown sources. This is especially important in finance and healthcare because those industries have strict compliance and regulatory standards. For example, businesses that operate in regulated sectors, like HIPAA and PCI DSS , must consider proving the authenticity and integrity of a software update essential to remaining compliant. Cryptographic Protection Another major advantage of code signing is its ability to provide cryptographic protection. While carrying out code signing, it is not a question of mere origin; integrity must be ascertained. After being signed, the code must not incur any alteration whatsoever, or the digital signature will fail, which will warn users that tampering might have occurred and is likely to occur. The mechanisms conducted in such manners areessentially cryptographic and thus provide grounds for protection against attacks, particularly those against targets meant to introduce vulnerabilities into software. Moreover, cyber threats are becoming more sophisticated, demanding robust cryptography measures. From ransomware to supply chain attacks , organizations are in danger. Code signing is a substantial barrier in that direction, ensuring only verified code runs in user environments. The Changing Threat Landscape The techniques of the malicious actors themselves are as varied as their threats. One of those methods is how modern-day hackers tamper with code-signing certificates. An attacker with enough privileges could use a private key and certificate to sign code that appears to originate from another trusted source for both users and security systems. As it would be, in one fell swoop, this tactic fools users and security systems into allowing malware to bypass traditional defenses. Code-signing certificates have been central to several high-profile breaches in recent years, including when an attacker signed malware with a pilfered code-signing certificate and spread it as legitimate software, infecting widespread numbers of corporate networks. CISA has revealed that compromised code-signing certificates have been the focus of some significant security breaches lately, underlining the critical need for serious security measures by the developers and organizations issuing the code. Enforcing Strong Code Signing Practices Developers must consider stringent code-signing practices due to the current state-of-the-art threats they face. One effective strategy is using hardware security modules or another secure cryptographic device to protect private keys. By using HSMs, keys are managed in a highly secure environment, thereby reducing unauthorized access and misuse of these keys. Furthermore, periodic updating and monitoring of code-signing certificates help highlight unauthorized use, thereby revealing possible breaches.Proactively managing the certificate will significantly raise an organization's security posture by establishing a practice that periodically audits your certificate inventory. The Future of Code Signing Signing solutions will become paramount as the software development landscape changes. Cloud computing has made integrity in software an important affair for today and the future, especially with the reliance on third-party libraries. Developers should be more vigilant about keeping their code safe from potential threats since the repercussions of a security breach can be intense. Also, the global code signing certificate market will exhibit high growth shortly due to growing awareness among organizations and individuals about cybersecurity risks and the need for security in software distribution. Studies carried out by various research firms indicate that this continuous growth represents a part of the trend of adopting advanced security measures in various industries. Our Final Thoughts on the Central Role of Code Signing Solutions in Modern Linux Security Strategies Over the past few years, code signing has emerged as a standard software development process. It primarily ensures application integrity and authenticity. By signing code, developers provide users with tangible assurance of application legitimacy. That trust is significant in this day and age of malware camouflaging itself as real applications. When end-users see a verified code-signing certificate, they know it's a software engagement with which they can confidently move forward, knowing it hasn't been tampered with and comes from a trusted source. This trust gives you a safe software ecosystem, especially when a security breach has enormous ramifications. Another critical role of code signing is identifying the authenticity of software authors. This helps gain users' trust and considerably reduces counterfeit application risks. In a world where cybercriminals adopt the most deceitful methods to spread malware, knowingwho develops the applications will be imperative. Code signing associates software with the right creator to protect users from such threats. This helps users avoid downloading malicious software that may compromise the system's security, promoting a safe cyber experience. With ever-increasing cyber threats, code signing has become very important, and every developer and organization must follow this practice for robust security. Let us know @lnxsec how you're using code signing to strengthen the security of your software development! . Developers prove software authenticity with code-signing certificates, enhancing user trust and security against threats.. integrity, authenticity, crucial, today', continuous, rapid, momentum, software. . Brittany Day

Calendar%202 Nov 01, 2024 User Avatar Brittany Day Security Trends
76

Significance Of SPDX 3.0 For Software Management And Security Insights

The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security enthusiasts, and sysadmins. The SPDX community, in collaboration with the Linux Foundation , has evolved the widely used Software Bill of Materials (SBOM) communication format with a comprehensive set of updates, introducing new features and enhancements tailored to modern system use cases. . This article presents the benefits of SPDX 3.0, offering valuable insights into its implications for the security and management of software systems. What Is the Significance of the SPDX 3.0 Release? One of the most intriguing aspects of SPDX 3.0 is the introduction of profiles, which offer tailored information for popular use cases such as security, software build attestation, precise licensing, AI model training, and data set provenance. These profiles are gateways to facilitate the straightforward use of SPDX for specific scenarios, empowering developers, security engineers, data scientists, and legal professionals to leverage SPDX effortlessly for their specific use cases. This sparks curiosity for tech enthusiasts seeking to understand how SPDX 3.0 can enhance their software management practices. The significant impact of SPDX 3.0 on the software ecosystem must be highlighted, emphasizing the community-driven development process and its alignment with ISO governance standards. The involvement of key industry experts and organizations in evolving SPDX as a user-centric SBOM format shows its potential to address diverse needs, paving the way for enhanced software package management, improved compliance with licensing obligations, streamlined security practices, and optimized software build processes. Users and developers are prompted to ponder the long-term consequences of adopting SPDX 3.0 and its potential implications for mitigating risks, building trust, and demonstrating commitment to industry best practices. Industry leaders, such as Arm,Chainguard Labs, EPAM Systems, Huawei, Intel, GitHub, Google, Microsoft, MITRE, and others, have expressed their support and recognition of SPDX 3.0's importance in software supply chain security . Our Final Thoughts on SPDX 3.0 We aim to shed light on the importance of SPDX 3.0 in revolutionizing software management, bringing attention to its relevance for security practitioners and technology professionals. If you want to stay abreast of the latest advancements in open-source and Linux security, be sure to subscribe to our newsletters . Stay informed and secure, fellow Linux users! . Explore the benefits of SPDX 3.0 and its influence on software governance and security protocols for industry experts.. SPDX 3.0, Software Bill of Materials, Linux security, software management, open source compliance. . Brittany Day

Calendar%202 Apr 17, 2024 User Avatar Brittany Day Organizations/Events
82

White House ONCD Advocates Memory-Safe Programming Adoption

The Office of the National Cyber Director (ONCD) emphasizes the urgent need for developers to adopt memory-safe programming languages like Rust to minimize vulnerabilities in software. The ONCD's Back to the Building Blocks: A Path Toward Secure and Measurable Software" report is a strong recommendation rather than an executive order or law. . What Is ONCD's Recommendation for Secure Software Development? Memory-unsafe languages such as C and C++ have long been a staple in software development, but significant cybersecurity risks have also accompanied it. As Anjana Rajan, the ONCD Assistant National Cyber Director for Technology Security, points out, past catastrophic cyber incidents like the Morris worm and the Heartbleed vulnerability have often stemmed from memory safety vulnerabilities. The prevalence of security bugs in the C language is a significant issue. Almost 50% of reported vulnerabilities in the seven most widely used languages over the past decade were in C. While factors like its longevity and widespread use can contribute to this statistic, Kees "Case" Cook, a Google Linux kernel security engineer, notes that C's inherent weaknesses and undefined behaviors make it prone to security flaws. The growing endorsement of memory-safe languages like Rust by industry giants such as Microsoft further emphasizes the need for a fundamental shift in programming practices. Microsoft Azure's CTO Mark Russinovich advises developers to avoid using C or C++ and opt for Rust. This aligns with Microsoft's ongoing efforts to rewrite core libraries in Rust and integrate them into their products, like Microsoft 365. This has significant implications for the security community, as it signals a shift towards safer programming languages and the potential abandonment of traditional languages like C and C++. From the perspective of a Linux admin, infosec professional, internet security enthusiast, or sysadmin, ONCD's report highlights the immediate impact and long-term consequences of usingmemory-unsafe languages. The report prompts critical thinking and raises important questions regarding the security of existing codebases. It also serves as a call to action for these professionals to consider adopting memory-safe languages and implementing advanced diagnostics to improve software security. Our Final Thoughts on ONCD's Recommendation The recommendation from the White House's Office of the National Cyber Director to move towards memory-safe programming languages like Rust sheds light on the critical issue of software vulnerabilities. Making informed decisions in software development can help minimize cybersecurity risks. Industry leaders' growing endorsement of memory-safe languages and the potential long-term consequences for traditional languages like C and C++ should prompt a renewed focus on software security and adopting safer programming practices. What are your thoughts on ONCD's recommendation? Do you agree or disagree? Connect with us on X @lnxsec and let's have a discussion! . The ONCD's latest advisory highlights the need for a shift to memory-secure programming languages to combat cybersecurity threats in software engineering. Memory Safety, Secure Languages, Cybersecurity Recommendations. . Brittany Day

Calendar%202 Mar 04, 2024 User Avatar Brittany Day Government
76

Microsoft at Ubuntu Summit 2023: Bridging Open Source and Technology

The annual Ubuntu Summit is where Linux and open-source software lovers gather to see what’s new. This year it will take place in the beautiful city of Riga, Latvia, November 3 to 5. And guess what? Microsoft, the big name we usually associate with paid software, joined the movement. This new partnership aims for greater collaboration between major technology companies and open-source communities. . The fact that Microsoft is part of Free Summit 2023 shows that you are getting closer to open-source software. Summit attendees, in person or online, will hear from Microsoft experts. They will talk about interesting things like using Linux on Windows, building apps with .NET 8 on Ubuntu, and how Microsoft’s Azure works seamlessly with Ubuntu’s snapshot service. "Learning continues with a talk on improving security for .NET on Ubuntu containers, followed by an in-depth discussion of using Ubuntu’s new snapshot service with Azure. This session features speakers from Canonical and Microsoft, demonstrating how Azure and the Ubuntu Snapshot service can be used effectively." . Apple's involvement in the Linux Conference 2023 showcases advancements in integrating community-driven software.. Ubuntu Summit, Microsoft Collaboration, Open Source Technology, Linux Community, Azure and Ubuntu. . Brittany Day

Calendar%202 Nov 06, 2023 User Avatar Brittany Day Organizations/Events
76

Exploring OpenSSF's Initiatives to Mitigate Log4j-Like Flaws

More critical flaws similar to Log4Shell found in open source are almost inevitable, but Open Source Security Foundation ’s (OpenSSF’s) goal is to make those incidents rare and continually make the attackers’ job harder, a Linux Foundation executive noted. . Founded in 2020, OpenSSF is a cross-industry organization hosted by the Linux Foundation that brings together individuals and companies including Cisco , GitHub, Google , and VMware , to develop better security tools and practices for open source application development without bias toward a specific ecosystem or vendor. The organization offers automation tools, educational materials, and courses and develops various projects and frameworks — including Supply Chain Levels for Software Artifacts (SLSA) , Secure Supply Chain Consumption Framework (S2C2F) , Software Bill of Materials (SBOM) Everywhere , and Alpha-Omega — to improve security for the open source community, David Wheeler, Director of open source supply chain security at Linux Foundation, told SDxCentral. “Certainly nobody wants another Log4j, [but] a major vulnerability in software that beats open source or closed source is probably inevitable,” he said. “So the goal is to make these kinds of problems rare. And so we are working towards that end.” Wheeler noted OpenSSF offers open source security courses that specifically educate students not to make the mistake that happened in Apache Log4j 2 Java library. “Unfortunately, LogShell was not, as far as anyone can tell, intentional maliciousness. It was an honest mistake, in part due to the complexity of code, and in part, frankly due to people who are doing the development not knowing how to do certain kinds of secure software development, and the tools that really support them either,” he said. . The Linux Foundation is focused on preventing vulnerabilities akin to Log4j by promoting robust security measures throughout open-source development ecosystems.. OpenSSF, Open SourceSecurity, Log4j Incident, Risk Management, Secure Development. . Brittany Day

Calendar%202 Mar 13, 2023 User Avatar Brittany Day Organizations/Events
212

Importance of Open Source Software in Cloud Application Security

The software development process is getting quicker. Devops teams are under increased pressure to go to market, and they’re able to work quickly, thanks in part to open-source software ( OSS ) packages. . OSS has become so prevalent that it’s estimated to factor into 80 to 90% of any given piece of modern software. But while it’s been a great accelerator to software development, OSS creates a large surface area that needs to be protected because there are millions of packages created anonymously that developers use to build software. Most open-source developers act in good faith; they are interested in making life easier for other developers who might encounter the same challenge they’re looking to solve. It’s a thankless job because there’s no financial benefit to publishing an OSS package and plenty of backlash in comment threads. According to GitHub’s Open Source Survey , “the most frequently encountered bad behavior is rudeness (45% witnessed, 16% experienced), followed by name calling (20% witnessed, 5% experienced) and stereotyping (11% witnessed, 3% experienced).” . Utilizing open source components is essential for contemporary applications; however, they may introduce vulnerabilities. Discover ways to evaluate these threats.. Open Source Practices, Cloud Application Security, OSS Risks. . Brittany Day

Calendar%202 Jan 24, 2023 User Avatar Brittany Day Cloud Security
212

Evaluating Security Challenges of Open Source Software in Cloud Apps

The pace of software development is accelerating. Devops teams are under more pressure to launch products rapidly, and they are able to do so in part because of open-source software (OSS) tools. . According to estimates, OSS now makes up between 80 and 90 percent of all current software. However, OSS produces a big surface area that needs to be controlled because there are millions of packages published anonymously that developers utilise to build software, even though it has been a fantastic accelerator for software development. Most open source programmers behave honourably; they care about making other programmers’ lives simpler who could run into the same problem they’re trying to solve. Because there is no financial reward for publishing an OSS package and a lot of negative feedback in comment threads, it is a thankless profession. “The most frequently encountered bad behavior is rudeness (45% witnessed, 16% experienced), followed by name calling (20% witnessed, 5% experienced) and stereotyping (11% witnessed, 3% experienced).” according to GitHub’s Open Source Survey. . Open source software (OSS) is influential in technology, yet it introduces various security concerns owing to its extensive attack surface.. Open Source Software, Cloud Security, Software Challenges, DevOps Practices. . Brittany Day

Calendar%202 Jan 17, 2023 User Avatar Brittany Day Cloud Security
News Add Esm H340

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200