1. Revisiting Ken Thompson’s Reflection on Trusting Trust

    • Creating software entirely from scratch is impractical today. Every component, library, and tool we use in software development relies on open source libraries and compilers. In his talk "Reflections on Trusting Trust," Ken Thompson brilliantly demonstrates that "You cannot trust code that you did not totally created yourself." I find the method of proving this assertion to be absolutely fascinating. It could be one of the most bold and thought-provoking ideas in cybersecurity history. In this article, I revisit Thompson's famous proof of distrust, 40 years later.

  2. A Prime on Public Key Infrastructure

    • This article delves into symmetric and asymmetric encryption, as the building blocks of Public Key Infrastructure (PKI). It describes how PKI allows safeguarding the authenticity and security of digital communications across the internet.

  3. The Software Supply Chain

    • The software supply chain encompasses all technologies and processes involved in moving code from development to production. It heavily relies on third-party components, which introduces significant security and maintenance risks. Supply chain attacks occur when malicious actors compromise these components, making entire infrastructures vulnerable, as seen in incidents like the SolarWinds breach. To mitigate these risks, organizations must harden their supply chains by increasing data collection and analysis to detect attacks, adopting preventive tools and processes, and establishing rapid recovery mechanisms. This article covers how to implement reproducible builds and continuously assessing all elements of the supply chain, which are critical steps toward maintaining a secure and efficient software delivery pipeline.

  4. The Zip Slip Vulnerability Exploitation

    • The Zip Slip vulnerability is a serious security flaw that exploits unprotected file extraction to perform directory traversal attacks. In this post, I explain how malicious archives exploit weak validation in extraction code, potentially allowing attackers to overwrite sensitive files and execute commands. I also provide an example of the vulnerability in Java, along with a guide for setting up and preventing these attacks in your code.

 ai (4) algorithms (2) big-data (1) career (10) cloud (1) crypto (1) debloating (3) devops (3) github (3) java (8) latex (1) metrics (1) politics (1) productivity (2) sarcasm (3) science (17) security (4) web (1)