Red Hat Security Blog: January 2014 archives

  • Java deserialization flaws: Part 2, XML deserialization

    All classes which implement the java.io.Serializable interface can be serialized and deserialized, with Java handling the plumbing automatically. In the first part of this two-part series, we looked at some of the unexpected security consequences which can arise from usage of binary deserialization in Java applications. This second part of the series will focus on security issues related to XML deserialization. XML Deserialization An alternative approach to Java's native binary serialization is...
    Posted 2014-01-23T14:30:05+00:00 - 0
  • CWE Vulnerability Assessment Report 2013

    Common Weakness Enumeration (CWE) is a list or dictionary of common software weaknesses. Red Hat has adopted CWE as a common language for describing and classifying vulnerabilities, used as a base for evaluation and prevention of weaknesses. Results of classifications are reviewed periodically and are used to direct our efforts in strengthening security of development practices, tools, assessment services, education programs and documentation. As a part of this effort Red Hat Customer Portal...
    Posted 2014-01-15T14:30:10+00:00 - 0
  • Securing Openstack's Dashboard using Django-Secure

    When it comes to security it is an unfortunate reality that technologies are rarely straight forward to use or easy to deploy. So it is quite refreshing to find something that breaks that mould. There is a fantastic project called django-secure which I believe does just this. The idea is to provide a way to enforce secure defaults for django projects. It achieves this in two key ways. The first being a deployment check that you can run as a part of typical django-admin manage.py workflow, the...
    Posted 2014-01-08T14:30:48+00:00 - 0