Data Safety and Information Security

While software bill of materials (SBOMs) have emerged as a potential way for organizations to begin to secure their supply chains, they are not a panacea. However, complementing SBOMs with Supply-Chain Levels for Software Artifacts (SLSA) shows great promise. SLSA provides a framework and roadmap so that the industry can start adhering to the implementation of SBOMs and other security good practices for securing the software supply chain.

One way to tame your email inbox is to get in the habit of using unique email aliases when signing up for new accounts online. Adding a "+" character after the username portion of your email address -- followed by…

We find it fascinating to contemplate the future of privacy and confidentiality in computation. Privacy-enhancing technologies (PETs), as a…

A new analysis commissioned by DARPA quantifies how the decentralized tech that runs the currency system could be compromised.

Apple intros "extreme" optional protection against the scourge of mercenary spyware.

Microsoft says that a recently spotted Windows worm has been found on the networks of hundreds of organizations from various industry sectors.

Before Microsoft shutters basic logins in a few months

APT actors from Russia, China, and India have been observed using the RTF-template injection technique that researchers say is poised for wider adoption.

We're excited to announce that we're open sourcing our Identity and Access Management solution: Entitlements.

How can you robustly assert and identify a user’s identity?

It’s you versus the QR code, so how do you know if there it contains malware?

Abstract. Although cyber conflict has existed for thirty years, the strategic utility of cyber operations remains unclear. Many expect cyber operations to provide independent utility in both warfare and low-intensity competition. Underlying these expectations are broadly shared assumptions that information technology increases operational effectiveness. But a growing body of research shows how cyber operations tend to fall short of their promise. The reason for this shortfall is their subversive mechanism of action. In theory, subversion provides a way to exert influence at lower risks than force because it is secret and indirect, exploiting systems to use them against adversaries. The mismatch between promise and practice is the consequence of the subversive trilemma of cyber operations, whereby speed, intensity, and control are negatively correlated. These constraints pose a trilemma for actors because a gain in one variable tends to produce losses across the other two variables. A case study of the Russo-Ukrainian conflict provides empirical support for the argument. Qualitative analysis leverages original data from field interviews, leaked documents, forensic evidence, and local media. Findings show that the subversive trilemma limited the strategic utility of all five major disruptive cyber operations in this conflict.

Posted on 2022-05-27

A walkthrough of one of the stealthy communication techniques employed in a recent attack using APT34's Saitama backdoor.

Outlining how my thinking has evolved after working with various cloud deployment types and integrating security into many kinds of apps.

Adds infosec regulation coming to more industries but with a light touch, more collaboration

GraphQL is a friendly alternative to REST APIs. But there are some security repercussions of adopting GraphQL developers need to know.

Computer security only happens when software is kept up to date. That should be a basic tenet for business users and IT departments. Apparently, it isn’t. At least for some Linux users who ignore installing patches, critical or otherwise.

Do you worry that a CVE will hurt the reputation of your project? In reality, CVEs are a tracking number, and nothing more. Here's how we think of them at GitHub.

Making security every team’s problem and recruiting those most interested to formalize their involvement is a solid cultural approach.

This online session shows you what constant vigilance should look like

Amazon Web Services (AWS) Lambda, serverless computing's poster child, is over seven years old and only now has experienced the first malware specifically targeting Lambda, Denonia

While QR codes hold significantly more data than bar codes, they are also more prone to phishing attacks.

When few developers see security it as their responsibility, how do you build a culture to support a zero trust strategy in your organization? #security #DevSecOps #zerotrust

PKI has created a global trust framework for the web. But the war in Ukraine has shone a light on its weaknesses. Hierarchies are not good architectures for building robust, trustworthy, and stable digital systems.