Greeting from Felix
Shift Security Left #15
2.5 years ago, security guru Bruce Schneier noted in an interview that "complexity is still the worst enemy of security, and simplicity is still hard". Fast forward to now—it's still 100% true. So, let's cut through complexity and get a comprehensive understanding of all these complex security things.
News
How I broke into a bank account with an AI-generated voice
Do you think that Voice ID authentication is secure enough?
Here's a story to make you doubt the "my voice is my password" security. Joseph Cox used a simple trick to convince his bank to grant access to a bank account via AI-generated recording. Then he described it to Vice, so we can learn from a case too.
Secure Architecture
The EU's new Cyber Resilience Act is about to tell us how to code
Regulators are gonna regulate. And a new regulation is on the way!
One day, according to the EU’s new Cyber Resilience Act (CRA), all connected devices and almost every piece of software distributed in Europe will eventually have to be coded securely. CRA's requirements cover software, hardware and processes. Check Bert Hubert's write up out for the context and more details about the CRA.
P.S. White House has just released its National Cybersecurity Strategy that has similar aims.
P.S.S. Looking at my newsletter name, it seems that here is the right place to prepare for new circumstances 🙂
Cryptography
Database cryptography fur the rest of us
Psst, have you got databases with sensitive data? Then this material is right for you.
Soatok brilliantly introduces you database cryptography, including cryptography for relational databases, cryptography for NoSQL databases, searchable encryption and some case studies. His writeup can be taken as a great starting point of exploration db cryptography, although it does not cover all the possible aspects.
Cossack Labs' Acra provides searchable encryption for databases using blind index approach. Here is a Docker-based example on GitHub if you're curious.
Malware
Let's build a Chrome extension that steals everything
And here's a nice practice for exploring the limits of browser extensions and a reminder not to blindly trust them.
Matt Frisbie, software engineer and author of a book about building browser extensions, is going to teach you bad with making a Grinch-level Spy Extension, a malicious extension that seems trustworthy but actually sucks out all possible data from your browser. Pure evil in Chrome, really.
SSDLC
What a good debugger can do
Logging or debugging? What do you prefer?
I'm not going to persuade you to stick to just one option, and so does Andy Hippo in his article, as "different tools support different features and have different limitations". Nonetheless, to challenge the popular belief that “debuggers are useless, let’s just printf" he describes various debugging features & techniques and the existing tools/products that offer them.
