SecurityWeek has published an article by CII’s Emily Ratliff called No Exit: The Case for Moving Security Information Front and Center.
The top 4 were picked for brevity for this article, but I encourage you to compare the full lists for greater impact. With this in mind, the similarities between the two lists released 13 years apart are startling and humbling.
Read more at SecurityWeek.
Kees Cook entralled CollabSummit attendees last week with his update on how the Linux Kernel Self-Protection project is coming along. There are now developers from several different organizations (Google, Linaro, Oracle, Red Hat, Intel, one self-funded, and one funded by CII) participating in the project. Kees went into detail about how it is important to not stall out just fixing security bugs as they appear but that we need to proactively develop technology to defeat entire classes of bugs before they can be exploited (with examples). Kees’ charts are available online.
SecurityWeek has published an article by CII’s Emily Ratliff called Establishing Correspondence Between an Application and its Source Code.
Soon it will be possible to enroll the signed hashes from the package management system as IMA attributes during the installation process. Then, if you configure your system to be IMA enforcing, you will know that every running application came from your trusted distribution.
If your trusted distribution uses reproducible builds, then you will be able directly trace the chain of integrity of the executing process back to the original code and know that the code has not been subverted during delivery.
Read more at SecurityWeek.
