Security
Canva
Tue May 07 2024
Endpoint vulnerability management at scale
How we do endpoint vulnerability management at Canva.
GitHub
Thu May 02 2024
Introducing Artifact Attestations–now in public beta
Generate and verify signed attestations for anything you make with GitHub Actions.
Tue Apr 30 2024
Where does your software (really) come from?
GitHub is working with the OSS community to bring new supply chain security capabilities to the platform.
Products
Docker
Docker and JFrog partner to further secure Docker Hub and remove millions of imageless repos with malicious links
Docker and JFrog partner to further secure Docker Hub by removing millions of imageless repos with malicious links.
Mon Apr 29 2024
CodeQL zero to hero part 3: Security research with CodeQL
Learn how to use CodeQL for security research and improve your security research workflow.
Wed Apr 24 2024
Securing millions of developers through 2FA
We’ve dramatically increased 2FA adoption on GitHub as part of our responsibility to make the software ecosystem more secure.
Cloudflare
Fri Apr 12 2024
How we ensure Cloudflare customers aren't affected by Let's Encrypt's certificate chain change
Let’s Encrypt’s cross-signed chain will be expiring in September.
Engineering
Thu Apr 04 2024
Debian’s Dedication to Security: A Robust Foundation for Docker Developers
We outline how and why Debian operates as a secure basis for development and makes a good choice for Docker Official Images.
From Misconceptions to Mastery: Enhancing Security and Transparency with Docker Official Images
Docker Official Images are an important component of Docker's commitment to the security of both the software supply chain and open source s...
Wed Apr 03 2024
Security research without ever leaving GitHub: From code scanning to CVE via Codespaces and private vulnerability reporting
This blog post is an in-depth walkthrough on how we perform security research leveraging GitHub features, including code scanning, CodeQL, a...
Tue Apr 02 2024
Continuing our work with CISA and the Joint Cyber Defense Collaborative to keep vulnerable communities secure online
Along with CISA and the Joint Cyber Defense Collaborative, we are spotlighting threats to civil society, best practices for online protectio...
Mon Apr 01 2024
OpenSSH and XZ/liblzma: A Nation-State Attack Was Thwarted, What Did We Learn?
Docker CTO Justin Cormack looks at what we can learn from malicious code in upstream tarballs of xz targeted at a subset of OpenSSH servers....
Product
Wed Mar 20 2024
Found means fixed: Introducing code scanning autofix, powered by GitHub Copilot and CodeQL
Now in public beta for GitHub Advanced Security customers, code scanning autofix helps developers remediate more than two-thirds of supporte...
LLM
Dropbox
Tue Mar 19 2024
Bye Bye Bye...: Evolution of repeated token attacks on ChatGPT models
Building on prior prompt injection research, we recently discovered a new training data extraction vulnerability involving OpenAI’s chat com...
Mon Mar 18 2024
Gaining kernel code execution on an MTE-enabled Pixel 8
In this post, I’ll look at CVE-2023-6241, a vulnerability in the Arm Mali GPU that allows a malicious app to gain arbitrary kernel code exec...
Thu Mar 14 2024
Upcoming Let’s Encrypt certificate chain change and impact for Cloudflare customers
Sun Mar 10 2024
Trust but test: Vendor security testing at Canva
How we validate vendor security at Canva by going beyond compliance.
Security-Week
Fri Mar 08 2024
Log Explorer: monitor security events without third-party storage
Introducing Requests for Information (RFIs) and Priority Intelligence Requirements (PIRs) for threat intelligence teams
Our Security Center now houses Requests for Information (RFIs) and Priority Intelligence Requirements (PIRs).
Cloudflare’s URL Scanner, new features, and the story of how we built it
Thu Mar 07 2024
Building secure websites: a guide to Cloudflare Pages and Turnstile Plugin
Learn how to use Cloudflare Pages and Turnstile to deploy your website quickly and easily while protecting it from bots, without compromisin...
Wed Mar 06 2024
Linux kernel security tunables everyone should consider adopting
This post illustrates some of the Linux Kernel features, which are helping us to keep our production systems more secure.
SASE
Cloudflare treats SASE anxiety for VeloCloud customers
The turbulence in the SASE market is driving many customers to seek help.
Meta
Making messaging interoperability with third parties safe for users in Europe
To comply with a new EU law, the Digital Markets Act (DMA), which comes into force on March 7th, we’ve made major changes to WhatsApp and Me...
Fonts are still a Helvetica of a Problem
CVEs in three strange places and the unique problem of safely processing and handling fonts.
Tue Mar 05 2024
Secure your unprotected assets with Security Center: quick view for CISOs
Today we are excited to introduce a new set of capabilities within the Security Center to directly address a common challenge: ensuring comp...
Protecting APIs with JWT Validation
Filter Out Security Vulnerability False Positives with VEX
False positives got you down? VEX works with Docker Scout to filter out false positives in security vulnerabilities.
Thu Feb 29 2024
Keeping secrets out of public repositories
With push protection now enabled by default, GitHub helps open source developers safeguard their secrets, and their reputations.
Azure Container Registry and Docker Hub: Connecting the Dots with Seamless Authentication and Artifact Cache
See best practices for using public images and ensuring the security and reliability of your Docker containers.
Product-News
Thu Feb 22 2024
Enhancing security analysis with Cloudflare Zero Trust logs and Elastic SIEM
Today, we are thrilled to announce new Cloudflare Zero Trust dashboards on Elastic.
Wed Feb 21 2024
How to stay safe from repo-jacking
Repo-jacking is a specific type of supply chain attack.
Tue Feb 20 2024
How to Use OpenPubkey to Solve Key Management via SSO
We show how OpenPubkey can be used to improve SSH key management, and we look at three use cases in detail.
Thu Feb 15 2024
Build code security skills with the GitHub Secure Code Game
Learn to find and fix security issues while having fun with Secure Code Game, now with new challenges focusing on JavaScript, Python, Go, an...
Safeguarding your brand identity: Logo Matching for Brand Protection
Brand Protection's Logo Matching feature enables users to upload an image of the user’s logo or other brand image.
Wed Feb 14 2024
Fixing security vulnerabilities with AI
A peek under the hood of GitHub Advanced Security code scanning autofix.
Mon Feb 12 2024
The architecture of SAST tools: An explainer for developers
More developers will have to fix security issues in the age of shifting left.
Thu Feb 08 2024
GitHub’s Engineering Fundamentals program: How we deliver on availability, security, and accessibility
The Fundamentals program has helped us address tech debt, improve reliability, and enhance observability of our engineering systems.
Tue Feb 06 2024
AppSec is harder than you think. Here’s how AI can help.
In practice, shifting left has been more about shifting the burden rather than the ability.
Thu Feb 01 2024
Thanksgiving 2023 security incident
On Thanksgiving Day, November 23, 2023, Cloudflare detected a threat actor on our self-hosted Atlassian server.
Wed Jan 31 2024
Docker Security Advisory: Multiple Vulnerabilities in runc, BuildKit, and Moby
Docker security advisory about multiple vulnerabilities in runc, BuildKit, and Moby: We will publish patched versions of runc, BuildKit, and...
Thu Jan 25 2024
EJBCA and Docker — Streamlining PKI Management and TLS Certificate Issuance
Learn how to deploy EJBCA as a Docker container, making your infrastructure setup more modern, efficient, and flexible for your security and...
Open-Source
Wed Jan 24 2024
Introducing Foundations - our open source Rust service foundation library
Thu Jan 18 2024
How to Enhance Application Security Posture with Docker Scout Policies
Learn how Docker Scout policies can help development and security teams define and achieve an ideal application security posture for organiz...
Tue Jan 16 2024
Rotating credentials for GitHub.com and new GHES patches
GitHub received a bug bounty report of a vulnerability that allowed access to the environment variables of a production container.
API-Gateway
Tue Jan 09 2024
Introducing Cloudflare’s 2024 API security and management report
Today, we’re releasing our 2024 API Security and Management Report.
Mon Jan 08 2024
GitHub and the Ekoparty 2023 Capture the Flag
The GitHub Security Lab teamed up with Ekoparty once again to create some challenges for its yearly Capture the Flag competition! The post G...
Frenemies to friends: Developers and security tools
When socializing a new security tool, it IS possible to build a bottom-up security culture where engineering has a seat at the table.
Fri Jan 05 2024
5 ways to make your DevSecOps strategy developer-friendly
Developers care about security, but poorly integrated tools and other factors can cause frustration.
Thu Dec 21 2023
How to Use OpenPubkey with GitHub Actions Workloads
Learn how to use OpenPubkey to bind public keys to workload identities using GitHub Actions and Docker.
Tue Dec 19 2023
Using Authenticated Logins for Docker Hub in Google Cloud
Learn four best practices that your teams can implement to maintain a secure and reliable software delivery process with Docker Hub in Googl...
Mon Dec 18 2023
Integrating Turnstile with the Cloudflare WAF to challenge fetch requests
Thu Dec 14 2023
Scaling vulnerability management across thousands of services and more than 150 million findings
Learn about how we run a scalable vulnerability management program built on top of GitHub.
Wed Dec 13 2023
Securing our home labs: Frigate code review
This blog post describes two linked vulnerabilities found in Frigate, an AI-powered security camera manager, that could have enabled an atta...
Default setup now includes scheduled scans and supports all languages covered by CodeQL
We’ve added new improvements to default setup, including automatically scheduling scans on repositories and support for all CodeQL covered l...
Year-in-Review
Tue Dec 12 2023
Cloudflare 2023 Year in Review
Thu Dec 07 2023
Building end-to-end security for Messenger
We are beginning to upgrade people’s personal conversations on Messenger to use end-to-end encryption (E2EE) by default.
Wed Dec 06 2023
Cueing up a calculator: an introduction to exploit development on Linux
Using CVE-2023-43641 as an example, I’ll explain how to develop an exploit for a memory corruption vulnerability on Linux.
Thu Nov 30 2023
Securing our home labs: Home Assistant code review
The GitHub Security Lab examined the most popular open source software running on our home labs, with the aim of enhancing its security.
Thu Nov 16 2023
Security best practices for authors of GitHub Actions
Improve your GitHub Action’s security posture by securing your source repository, protecting your maintainers, and making it easy to report ...
Thu Nov 09 2023
Achieve Security and Compliance Goals with Policy Guardrails in Docker Scout
We show how Docker Scout policies enable teams to identify, prioritize, and fix their software quality issues at the point of creation.
Company
Wed Nov 08 2023
Universe 2023: Copilot transforms GitHub into the AI-powered developer platform
GitHub is announcing general availability of GitHub Copilot Chat and previews of the new GitHub Copilot Enterprise offering, new AI-powered ...
Introducing AI-powered application security testing with GitHub Advanced Security
Learn about how GitHub Advanced Security’s new AI-powered features can help you secure your code more efficiently than ever.
Enhancing the security of WhatsApp calls
New optional features in WhatsApp have helped make calling on WhatsApp more secure.
Wed Oct 25 2023
Cybersecurity spotlight on bug bounty researcher @Ammar Askar
We’re excited to highlight another top contributing researcher to GitHub’s Bug Bounty Program—@Ammar Askar! The post Cybersecurity spotlight...
Thu Oct 19 2023
ICYMI: improved C++ vulnerability coverage and CodeQL support for Lombok
The effectiveness of a static application security solution hinges on its ability to provide extensive vulnerability coverage and support fo...
Tue Oct 17 2023
Your curated GitHub Universe agenda: AI, ethics, and productivity
Gain actionable insights about the intersection of AI and human skills, while tackling ethics, accessibility, and productivity at these GitH...
Getting RCE in Chrome with incomplete object initialization in the Maglev compiler
In this post, I'll exploit CVE-2023-4069, a type confusion in Chrome that allows remote code execution (RCE) in the renderer sandbox of Chro...
Hardware
Mon Oct 16 2023
Introducing the Project Argus Datacenter-ready Secure Control Module design specification
The DC-SCM (Datacenter-ready Secure Control Module) decouples server management from the server motherboard.
Fri Oct 13 2023
Signing Docker Official Images Using OpenPubkey
Learn about the updated Docker Official Images (DOI) signing strategy and how OpenPubkey can be leveraged to smooth the flow and decrease th...
DDoS
Tue Oct 10 2023
HTTP/2 Rapid Reset: deconstructing the record-breaking attack
HTTP/2 Zero-Day vulnerability results in record-breaking DDoS attacks
The “HTTP/2 Rapid Reset” attack exploits a weakness in the HTTP/2 protocol to generate enormous, hyper-volumetric DDoS attacks.
Mon Oct 09 2023
Coordinated Disclosure: 1-Click RCE on GNOME (CVE-2023-43641)
CVE-2023-43641 is a vulnerability in libcue, which can lead to code execution by downloading a file on GNOME.
InfoSec
LinkedIn
Fri Oct 06 2023
Building Resilience in the Face of Disruption: LinkedIn's Journey to ISO 22301 Certification
Co-Authors: Chau Vu and Whitney Parsons In March 2020, the world turned upside down—the World Health Organization declared a global pandemic...
Thu Oct 05 2023
Security Advisory: High Severity Curl Vulnerability
The maintainers of curl, the popular command-line tool and library for transferring data with URLs, released curl 8.
Vulnerabilities
Uncovering the Hidden WebP vulnerability: a tale of a CVE with much bigger implications than it originally seemed
Recently, Google announced a security issue in Google Chrome, titled "Heap buffer overflow in WebP in Google Chrome.
Tue Oct 03 2023
Announcing General Availability for the Magic WAN Connector: the easiest way to jumpstart SASE transformation for your network
Birthday-Week
Mon Oct 02 2023
Birthday Week recap: everything we announced — plus an AI-powered opportunity for startups
Fri Sep 29 2023
Cloudflare now uses post-quantum cryptography to talk to your origin server
Detecting zero-days before zero-day
In this blog post we talk about our approach and ongoing research into detecting novel web attack vectors in our WAF before they are seen by...
Cloudflare is free of CAPTCHAs; Turnstile is free for everyone
Now that we’ve eliminated CAPTCHAs at Cloudflare, we want to hasten the demise of CAPTCHAs across the internet.
Tue Sep 26 2023
Changes to How Docker Handles Personal Authentication Tokens
Docker is improving the visibility of Docker Desktop and Hub users’ personal access tokens.
Community
Your ultimate guide to the GitHub Universe ‘23 agenda
Get a sneak peek into the must-attend sessions, speakers, workshops, and GitHub certifications available at our global developer event.
Getting RCE in Chrome with incorrect side effect in the JIT compiler
In this post, I'll exploit CVE-2023-3420, a type confusion in Chrome that allows remote code execution (RCE) in the renderer sandbox of Chro...
Mon Sep 25 2023
Cloudflare account permissions, how to use them, and best practices
Thu Sep 21 2023
The GitHub Security Lab’s journey to disclosing 500 CVEs in open source projects
The GitHub Security Lab audits open source projects for security vulnerabilities and helps maintainers fix them.
Passkeys are generally available
All GitHub.
Wed Sep 20 2023
Announcing general availability of GitHub Advanced Security for Azure DevOps
GitHub Advanced Security for Azure DevOps is now generally available.
Page-Shield
Fri Sep 15 2023
Making Content Security Policies (CSPs) easy with Page Shield
We just deployed a number of updates to our Client-Side Security Product: Page Shield.
Thu Sep 14 2023
Introducing auto-triage rules for Dependabot
Make quick work of alerts with preset and custom rules.
Tue Sep 12 2023
CodeQL team uses AI to power vulnerability detection in code
Learn how GitHub’s CodeQL leveraged AI modeling and multi-repository variant analysis to discover a new CVE in Gradle.
Meta Quest 2: Defense through offense
Meta’s Native Assurance team regularly performs manual code reviews as part of our ongoing commitment to improve the security posture of Met...
Tue Sep 05 2023
When URL parsers disagree (CVE-2023-38633)
Discovery and walkthrough of CVE-2023-38633 in librsvg, when two URL parser implementations (Rust and Glib) disagree on file scheme parsing ...
Automation
Thu Aug 31 2023
Enhancing Security and Developer Productivity: LinkedIn's Journey with Implementing Content Security Policy
Co-authors: Covenant Goo, Matthew Lemons, Mira Thambireddy, and Roman Shafigullin LinkedIn Information Security is committed to help foster ...
Data-Infrastructure
Tue Aug 29 2023
Scheduling Jupyter Notebooks at Meta
At Meta, Bento is our internal Jupyter notebooks platform that is leveraged by many internal users.
Thu Aug 24 2023
A faster way to manage version updates with Dependabot
Now, you can group multiple version updates in a single pull request.
Engineering@Microsoft
Microsoft
Your Most Important Git Repos
What do you keep in your Git repos? Source code for your production applications certainly, but you probably also keep a fair amount of expe...
Cloudflare-Radar
Mon Aug 21 2023
Application Security Report: Q2 2023
We are back with a quarterly update of our Application Security report.
Reading-List
An August reading list about online security and 2023 attacks landscape
Thu Aug 17 2023
mTLS: When certificate authentication is done wrong
In this post, we'll deep dive into some interesting attacks on mTLS authentication.
Docker Scout Demo and Q&A
We share highlights from a recent webinar: “Docker Scout: Live Demo, Insights, and Q&A," which is also now available on-demand.
Tue Aug 15 2023
Hardening repositories against credential theft
Some best practices and important defenses to prevent common attacks against GitHub Actions that are enabled by stolen personal access token...
Mon Aug 14 2023
Nine years of the GitHub Security Bug Bounty program
It was another record year for our Security Bug Bounty program! We're excited to highlight some achievements we’ve made together with the bo...
Wed Aug 09 2023
Enhanced push protection features for developers and organizations
Introducing two new secret scanning push protection features that will enable individual developers to protect all their pushes and organiza...
Four tips to keep your GitHub Actions workflows secure
Researchers from Purdue and NCSU have found a large number of command injection vulnerabilities in the workflows of projects on GitHub.
Introducing per hostname TLS settings — security fit to your needs
Tue Aug 08 2023
How Meta is improving password security and preserving privacy
Meta is developing new privacy-enhancing technologies (PETs) to innovate and solve problems with less data.
Production-Engineering
Mon Aug 07 2023
Using short-lived certificates to protect TLS secrets
Short-lived certificates (SLCs) are part of our latest efforts to further secure our Transport Layer Security (TLS) private keys on our edge...
WAF
Fri Aug 04 2023
Unmasking the top exploited vulnerabilities of 2022
The Cybersecurity and Infrastructure Security Agency (CISA) just released a report highlighting the most commonly exploited vulnerabilities ...
Thu Aug 03 2023
Protecting Secrets with Docker
Keeping your secrets secret is an ongoing process, but it’s worth the effort.
Fri Jul 28 2023
Closing vulnerabilities in Decidim, a Ruby-based citizen participation platform
This blog post describes two security vulnerabilities in Decidim, a digital platform for citizen participation.
Tue Jul 25 2023
How Cloudflare is staying ahead of the AMD vulnerability known as “Zenbleed”
The Google Information Security Team revealed a new flaw in AMD's Zen 2 processors in a blog post today.
Mon Jul 24 2023
GitHub Repository Rules are now generally available
Repository rules provide an easy, flexible way to define branch protections and ensure consistency in code across repositories.
ChatGPT
Wed Jul 19 2023
Don?t you (forget NLP): Prompt injection with control characters in ChatGPT
Tue Jul 18 2023
Security alert: social engineering campaign targets technology industry employees
GitHub has identified a low-volume social engineering campaign that targets the personal accounts of employees of technology firms.
Wed Jul 12 2023
Introducing passwordless authentication on GitHub.com
Passkeys are now available in public beta.
API-Shield
Tue Jul 11 2023
Bring your own CA for client certificate validation with API Shield
API shield customers can now upload their own CA to use for client certificate validation.
Wed Jul 05 2023
GitHub achieves ISO/IEC 27701:2019, 27018:2019, and CSA STAR certifications
GitHub’s Information Security and Privacy Management System (ISPMS) has been certified against ISO/IEC 27701:2019 (PII Processor) and 27018:...
Education
Introduction to SELinux
SELinux is the most popular Linux Security Module used to isolate and protect system components from one another.
Mon Jun 26 2023
New tool to secure your GitHub Actions
Introducing a new tool to monitor and control the permissions of the repository token for GitHub Actions.
Fri Jun 23 2023
Cybersecurity Professionals: The Unsung Superheroes of the Digital World
In a world where superheroes captivate our imaginations, it's sometimes hard to recognize the real-life superheroes among us like intelligen...
Thu Jun 15 2023
CodeQL zero to hero part 2: getting started with CodeQL
Learn the basics of CodeQL and how to use it for security research! In this blog, we will teach you how to leverage GitHub’s static analysis...
Mon Jun 12 2023
GitHub’s revamped VIP Bug Bounty Program
GitHub’s VIP Bug Bounty Program has been updated to include a clear and accessible criteria for receiving an invitation to the program and m...
security
Netflix
Escrow Buddy: An open-source tool from Netflix for remediation of missing FileVault keys in MDM
Thu Jun 08 2023
Cloudflare Area 1 earns SOC 2 report
Many customers want assurance that the sensitive information they send to us can be kept safe.
QUIC
Tue Jun 06 2023
Examining HTTP/3 usage one year on
With the HTTP/3 RFC celebrating its 1st birthday, we examined HTTP version usage trends between May 2022 - May 2023.
Thu May 25 2023
Rooting with root cause: finding a variant of a Project Zero bug
In this blog, I’ll look at CVE-2022-46395, a variant of CVE-2022-36449 (Project Zero issue 2327), and use it to gain arbitrary kernel code e...
Tue May 23 2023
Announcing the public preview of GitHub Advanced Security for Azure DevOps
GitHub Advanced Security for Azure DevOps is now available for public preview, making GitHub’s same application security testing tools nativ...
Mon May 22 2023
The Journey to Secure the Software Supply Chain at Microsoft
A secure software supply chain represents another facet of Microsoft’s built-in security to enhance and maintain trust in our products.
distributed-systems
Fri May 19 2023
ABAC on SpiceDB: Enabling Netflix’s Complex Identity Types
Developer-Week
Thu May 18 2023
Announcing Cloudflare Secrets Store
Introducing Secrets Store by Cloudflare - the ultimate solution for managing your application secrets securely.
How to secure Generative AI applications
Tue May 09 2023
Lessons learned: Using a cybersecurity vendor to check for malicious links
Wed May 03 2023
The malware threat landscape: NodeStealer, DuckTail, and more
We’re sharing our latest threat research and technical analysis into persistent malware campaigns targeting businesses across the internet, ...
Tinder
Tue Apr 18 2023
Identifying vulnerabilities in GitHub Actions & AWS OIDC Configurations
Android
Thu Apr 13 2023
Deploying key transparency at WhatsApp
WhatsApp has launched a new cryptographic security feature to automatically verify a secured connection based on key transparency.
How Device Verification protects your WhatsApp account
WhatsApp has launched a new security feature that further helps prevent attackers from using vectors like on-device malware.
Wed Apr 05 2023
Discovering Headroll (CVE-2023–0704) in Chromium
Mon Feb 06 2023
How to mitigate OWASP vulnerabilities while staying in the flow
Pinterest
Thu Jan 26 2023
Employee-facing Mutual TLS
machine-learning
Fri Nov 11 2022
Machine Learning for Fraud Detection in Streaming Services
Mon Nov 07 2022
How to Categorize and Prevent Risks of Sensitive Links in URLScan
Tue Nov 01 2022
How we handled a recent phishing incident that targeted Dropbox
android-app-development
Thu Oct 06 2022
Performing Due Diligence as Android Engineers
Bug-Bounty-Program
Tue Sep 20 2022
Defending against SSRF attacks (with help from our bug bounty program)
Tue Jul 12 2022
Microsoft open sources its software bill of materials (SBOM) generation tool
We are excited and proud to open source our software bill of materials (SBOM) generation tool.
Wed Oct 13 2021
Generating Software Bills of Materials (SBOMs) with SPDX at Microsoft
In this post, Adrian Diglio walks us through how Microsoft is planning to generate SBOMs not just to meet the U.
Mon Sep 27 2021
Caesar, standards, and SAST: The road to SARIF
In this post, Michael Fanning gives us a short history on standards (think Julius Caesar), how consensus on something very small can enable ...
Thu Sep 16 2021
You can’t have security for DevOps until you have DevOps for security
The faster we iterate on refining secure development practices, the faster our developers can address security pain points, and the better w...