VSHN.timer #117: Signatures and Vulnerabilities
Welcome to another VSHN.timer! Every Monday, 5 links related to Kubernetes, OpenShift, CI / CD, and DevOps; all stuff coming out of our own chat system, making us think, laugh, or simply work better.
This week we’re going to talk about how to properly secure our software with SSH signatures and best practices.
1. Here’s a not very well-known fact, which we now know thanks to Andrew Ayer: since OpenSSH 8.0 it is possible to sign arbitrary files of any kind using SSH, thus effectively replacing the widely derided and aging GPG mechanism used for the same purpose. And Git 2.34 will include this mechanism to sign commits.
https://www.agwa.name/blog/post/ssh_signatures
2. How to sign packages generated in GitHub Actions securely and without GPG? Christian Rebischke explains how thanks to a new recent feature just released in the cosign container signature and verification tool.
https://shibumi.dev/posts/keyless-signatures-with-github-actions/
3. Nowadays, when you can’t even be sure that your private browsing is private at all, software engineers must accelerate their training in security. Loren Kohnfelder’s is a veteran in the industry with over 50 years of experience, and his latest book, „Designing Secure Software“ has already been qualified as one of the best software security books ever written.
https://designingsecuresoftware.com/
4. Ever heard about Linus‘ Law? „Given enough eyeballs, all bugs are shallow“. Robert L. Glass vehemently called it a fallacy 20 years ago… and here’s (another) empirical confirmation: Nicholas Boucher and Ross Anderson from the University of Cambridge just presented their „Trojan Source“ paper, explaining a way to (mis)use Unicode control characters to embed malicious instructions in (at first look) completely harmless code.
5. We are in the golden age of the ARM CPU architecture. From smartphones, to Raspberry Pis, to the latest and most hyped laptops, it’s everywhere; cheap, efficient, and fast. But this popularity also brings new unforeseen security risks; here’s a double-free vulnerability in the ARM architecture, including all the required information to reproduce it, and how it could be exploited.
https://github.com/stong/how-to-exploit-a-double-free
Do you scan your containers for vulnerabilities? What key management strategy does your team use? Would you like to share some tips and tricks with our readers? Get in touch with us, and see you next week for another edition of VSHN.timer.
PS: would you like to receive VSHN.timer every Monday in your inbox? Sign up for our weekly VSHN.timer newsletter.
PS2: do you prefer reading VSHN.timer in your favorite RSS reader? Subscribe to this feed.
PS3: check out our previous VSHN.timer editions about Security: #8, #17, #22, #27, #32, #44, #54, #62, #76, #84, #93, and #106.
Adrian Kosmaczewski
Adrian Kosmaczewski ist bei VSHN für den Bereich Developer Relations zuständig. Er ist seit 1996 Software-Entwickler, Trainer und veröffentlichter Autor. Adrian hat einen Master in Informationstechnologie von der Universität Liverpool.