• Transport Layer Security

    TLS or Transport Layer Security is one of the most widely used protocols on the Internet.  A replacement for SSL, when you visit a website by typing https:// in your browser, you are most likely using TLS to securely transmit your data to and from the web server. To most people TLS works like magic. This article takes a brief look at TLS internals. TLS is based on the earlier SSL (Secure Socket Layer) specification developed by Netscape for their Navigator browser. It is an IETF standard...
    Posted 2013-07-24T13:30:56+00:00 - 0
  • An Introduction to Cryptographic Authentication and Encryption

    If you are on the Internet then you more than likely have used encryption whether you knew it or not.  Logging into the Gmail™ webmail service or your bank more than likely involves setting up an encrypted path between your web browser and the web server that is hosting the site.  When done correctly all the information that is passed over the Internet is secure against eavesdroppers that may be watching the information pass across the network.  Fortunately for most of us, the process of...
    Posted 2013-07-17T13:30:46+00:00 - 0
  • Reporting security flaws for OpenJDK 6

    Oracle has announced that it no longer provides public updates to their proprietary Oracle Java SE 6, as of February 2013. These updates, which may include security patches, are now only available to users of Oracle Java SE 6 who have a commercial support agreement with Oracle. Users who have a need for support on Java SE 6 and are not willing to consider commercial support from Oracle have another choice. Red Hat recently assumed a leadership role for the OpenJDK 6 project. OpenJDK is an open...
    Posted 2013-07-03T13:00:35+00:00 - 0
  • CWE Coverage for Red Hat Customer Portal

    This is part three of a three-part series on CWE usage within Red Hat. Part one discussed vulnerability assessment for secure software development while part two discussed the CWE compatibility for the Red Hat Customer Portal. This part will discuss the CWE coverage for the Red Hat Customer Portal. CWE has different views for different audiences and purposes. In the early stages of development, CWE only had one hierarchical representation, which originated the current Development Concepts View...
    Posted 2013-06-19T13:00:51+00:00 - 0
  • CWE Compatibility for Red Hat Customer Portal

    This is part two of a three-part series on CWE usage within Red Hat. Part one, Outside-in Vulnerability Assessment for Secure Software Development discussed the role of CWE in our own outside-in methodology. This part will discuss the Red Hat engagement for CWE compatibility and how CWE identifiers are assigned to Red Hat vulnerabilities. We have engaged in the CWE Compatibility and Effectiveness Program and worked towards fulfilling its requirements for using CWE in our own outside-in...
    Posted 2013-06-05T13:00:11+00:00 - 0
  • Outside-in Vulnerability Assessment for Secure Software Development

    Outside-in vulnerability assessment for secure software development is a process for identifying and eliminating some of the most dangerous and potentially exploitable weaknesses in your existing products and projects. Some well-known secure software development methodologies have their security practices grouped into phases, from training to response. However, you may have your main product already within the response phase, whereas its development was not done practicing secure software...
    Posted 2013-05-22T13:00:46+00:00 - 0
  • Battling open resolvers

    A recent blog by ISC discussed Is Your Open DNS Resolver Part of a Criminal Conspiracy? The problem is that open recursive DNS servers can be used by attackers to attack victims as part of distributed denial of service (DDOS) attacks. This type of attack is generally known as a DNS amplification attack. Due to the nature of the DNS protocol, a very small request can be sent as a UDP packet, and since UDP is not a stateful protocol, the sender information can be faked. The open DNS resolver will...
    Posted 2013-05-08T13:00:22+00:00 - 0
  • Anatomy of a Red Hat Security Advisory

    Red Hat Security Advisories (RHSA) document the security flaws being fixed in Red Hat products. They include: The affected products the advisory applies to. The security rating of the update (low, moderate, important, critical). A brief description of the flaws being fixed. How an attacker could exploit the issues, such as whether they need privileges or not. Any manual action that may be required, such as restarting applications that use an affected library, or configuration file changes. In...
    Posted 2013-04-24T13:00:14+00:00 - 0
  • Detecting security flaws with FindBugs

    Security response is largely a reactive process for handling problems that are already in software being used in production environments. The coordinated disclosure of vulnerability information attempts to protect software consumers from exposure to threats that are not yet public. However, it is much more desirable and cost effective to reduce the number of security issues that are introduced to the software during the development process. And while security training and awareness programs...
    Posted 2013-04-10T13:00:11+00:00 - 0
  • Is chroot a security feature?

    In the past few weeks I have been asked a number of times about the concept of using chroot as a security feature. The basic idea is that you can run a process inside of a chroot where it will not have access to various system resources; however, chroot is not a security feature. Let's find out why. What is a chroot? The chroot() system call is almost as old as UNIX itself. When you make this system call, you basically change the "root" of your process, where root in this context is the root of...
    Posted 2013-03-27T13:00:30+00:00 - 0
  • The Security Benefits of RPM Packaging

    RPM Package Manager (RPM) was created to deliver software to workstations and servers. Besides being an efficient software delivery mechanism, RPM also provides security features that assist system administrators with managing their software and trusting the code that is going into their infrastructure. What is an RPM? RPM is a package management system that bundles software source code or binaries together for easy installation on a computer. These files are tracked and allow for easy...
    Posted 2013-03-13T13:00:30+00:00 - 0
  • Enterprise Linux 6.3 to 6.4 risk report

    Red Hat Enterprise Linux 6.4 was released last week, eight months since the release of 6.3 in June 2012. In this report we take a look back over the vulnerabilities and security updates since that last update, specifically for Red Hat Enterprise Linux 6 Server. Errata count The chart below illustrates the total number of security updates issued for Red Hat Enterprise Linux 6 Server if you had installed 6.3, up to and including the 6.4 release, broken down by severity. It's split into two...
    Posted 2013-02-27T13:00:29+00:00 - 0
  • Red Hat Secure Development Videos

    Red Hat products are used by many organizations in some of the most secure computing environments in the world. We have relationships and collaborations with many U.S. Government agencies, stock exchanges, banks, and health care companies. As a result, the topic of secure coding is discussed both internally and with our partners and customers on a regular basis in an effort to create the needed resources to make secure coding an everyday practice. To make secure coding work we understand that...
    Posted 2013-02-20T13:00:22+00:00 - 0
  • How Red Hat uses CVSSv2 Scoring to assist in rating flaws

    Red Hat rates all security flaws using a four-point scale: critical, important, moderate, and low. A number of factors contribute to this rating: How easily can a flaw be exploited? What kind of damage can be done if exploited? Are there typically other factors involved that lower the impact of the flaw (such as firewalls, Security-Enhanced Linux, compiler directives, and so forth)? CVSSv2 (Common Vulnerability Scoring System version 2.0) can also help to determine the rating. Out of all of...
    Posted 2013-02-13T13:00:46+00:00 - 0
  • A minimal security response process

    This blog post outlines a lightweight security response process for community upstream projects: What you (as a project maintainer or contributor) can do to be prepared for incoming reports of security vulnerabilities, and to eventually respond with a security update. This is purely reactive - it is not about not shipping vulnerable code in the first place. But it is an important step in the right direction, and one that requires relatively little effort. Release engineering Without a minimal...
    Posted 2013-01-30T13:00:12+00:00 - 0
  • Enterprise Linux 5.8 to 5.9 risk report

    Red Hat Enterprise Linux 5.9 was released this month (January 2013), just under a year since the release of 5.8 in February 2012. So let's use this opportunity to take a quick look back over the vulnerabilities and security updates made in that time, specifically for Red Hat Enterprise Linux 5 Server. Red Hat Enterprise Linux 5 is coming up to its sixth year since release, and will receive security updates until March 31st 2017. Errata count The chart below illustrates the total number of...
    Posted 2013-01-16T13:00:55+00:00 - 0
  • Detecting vulnerable Java dependencies at build time

    Background Java is a very popular programming language. Two key reasons for its popularity are security and the availability of a huge ecosystem of libraries and components. Since most Java applications make use of a wide range of libraries, which in turn have dependencies on other libraries, it is difficult to ensure the integrity of these applications from a security perspective. A recent study by Aspect security has revealed the significance of this problem. This study found that 26% of...
    Posted 2013-01-02T13:00:20+00:00 - 0
  • Position Independent Executable (PIE) Performance

    Position Independent Executables (PIE) use randomization as an exploit mitigation technique against attacks on return oriented programming. In my previous post I discussed the effects that PIE has on ELF binaries and how they are executed. In this entry I will discuss how I gathered information about program startup times and share some of my findings. The Linux loader has a great feature that allows you to gain some insight into what actions are taken during a program's execution. I used this...
    Posted 2012-12-12T13:00:23+00:00 - 0
  • Position Independent Executables (PIE)

    The Fedora Engineering Steering Committee maintains a conservative list of packages that must be built using security features of GCC. Packages not on this list have these security features enabled at the packagers' descretion. There is not currently a consensus in the community as to when security hardened binaries are necessary. As a result the use of security hardened binaries can be a controversial topic. Most arguments can be reduced to whether the security benefit outweighs the...
    Posted 2012-11-28T13:00:32+00:00 - 0
  • How Red Hat ships JBoss security updates

    JBoss security updates When security flaws are discovered in JBoss products, the Red Hat Security Response Team works to resolve them on a prioritized basis. Flaws are rated according to a four-point scale: low, moderate, important, and critical. For details on the process of rating flaws, refer to How Red Hat rates JBoss security flaws. Flaws of low impact are typically deferred, to be resolved in the next minor release of the affected products. Flaws of moderate or higher impact are typically...
    Posted 2012-11-14T13:00:35+00:00 - 0
  • Red Hat is now CWE Compatible

    Red Hat is pleased to announce it has attained Common Weakness Enumeration (CWE) compatibility. The CWE Compatibility and Effectiveness Program is a formal review and evaluation process for declaring products and services as CWE-Compatible and CWE-Effective. For the last few months, Red Hat was engaged in the CWE Compatibility and Effectiveness Program and worked towards fulfilling its requirements. These requirements included providing a common language for discussing, identifying, and dealing...
    Posted 2012-11-01T14:57:34+00:00 - 0
  • Array allocation in C++

    This technical article covers a subtlety in C++ array allocation and how we changed the GNU C++ compiler to deal with it properly. When a programmer writes T *p = new T[3];the C++ compiler allocates room for at least three copies of objects of type T on the heap. These objects require 3 * sizeof(T) bytes. For this example, assume sizeof(T) is 12, then it is straightforward to allocate 36 bytes (for example, using malloc). But what happens if the array length is 3937053355 (or...
    Posted 2012-10-31T13:00:31+00:00 - 0
  • What defines a security issue?

    When dealing with developers, this question comes up fairly often: Is this bug a security issue? It is not always obvious if a bug is a security flaw or not. The reality is that the line is quite gray when it comes to deciding if something is a security flaw or not. It depends on a lot of factors, many of which are complicated and confusing. Consider the following example: CVE-2012-1182 describes a problem in Samba where a remote attacker could run arbitrary code as root. This is a fancy way of...
    Posted 2012-10-17T13:00:52+00:00 - 0
  • Enterprise Linux 6.2 to 6.3 risk report

    Red Hat Enterprise Linux 6.3 was released in June 2012, six months since the release of 6.2 in December 2011. So let's use this opportunity to take a quick look back over the vulnerabilities and security updates made in that time, specifically for Red Hat Enterprise Linux 6 Server. Errata count The chart below illustrates the total number of security updates issued for Red Hat Enterprise Linux 6 Server if you had installed 6.2, up to and including the 6.3 release, broken down by severity. It's...
    Posted 2012-10-03T13:00:38+00:00 - 0
  • How Red Hat rates JBoss security flaws

    Rating and CVSS v2 It's important to know how severe a security flaw is, so you can plan your response accordingly. Does the latest flaw have a high impact and need to be patched today, or can it wait until your planned upgrade next month? To communicate the risk of each JBoss security flaw, Red Hat uses a four-point severity scale of low, moderate, important and critical, in addition to Common Vulnerability Scoring System (CVSS) version 2 base scores. Most of the time the CVSS v2 base scores...
    Posted 2012-09-19T14:00:49+00:00 - 0

Pages

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.