If you're a project owner interested in being an early tester of the feature, you're encouraged to get in touch. Katie Hockman reports that Go native fuzzing is almost ready for beta use and testing. The AWS Toolkit for Visual Studio Code has added support for Lambda functions written in Go making it easier to create, locally debug, and deploy Lambda functions from the popular code editor. ▶ Discussing Encore and Frameworks with André Eriksson - A chat with the creator of Encore, a new(ish) Go backend framework that’s been getting a lot of attention recently, about tooling, frameworks, and the tradeoffs made when choosing them. Godocs.io Six Months Later - The fork of the old site has been improved so if you don’t like pkg.go.dev or miss some of the old site’s features, check it out. Redis 6.2 on RedisGreen - SSL encryption, key size tracking, memory mapping, online upgrades, and more. ![]() Most exciting of all, we have an interview with one of its maintainers at the end of this issue, so scroll down for that! :-) ![]() TinyGo 0.18.0 Released - It’s gained support for several new boards, has a snazzy new website and the PWM API now supports servos. The lack of critical vulnerabilities and the overall project maturity leaves us confident in osquery’s security posture and we believe the balance between risk and benefit holds in this instance.ListMonk 1.0: A Self-Hosted Newsletter and Mailing List Manager - We first linked this two years ago as it seemed promising, and it’s just hit 1.0 - nice! Seems worth trying if you want to run your own list. Since most of these findings require significant rework of the code, this will likely be a long-running effort. Overall, we believe we have identified several areas for improvement and will work with the osquery project maintainers and Trail of Bits to address these findings. If you’re interested in a high-level description of the findings, the overall take was that they did not uncover any serious vulnerabilities, but found several improvements necessary to mitigate exploitation of future vulnerabilities through hardening such as sandboxing or leveraging process isolation and inter-process communication techniques. Without further ado, here is the full review performed by Trail of Bits on osquery: ToB_Atlassian_osquery_Final_Report-2022-01.pdf With a reputation for high quality security reviews they share publicly, they were the right partner for us to perform this review and share it with the public as a contribution to the open source community. Rather than stumble around unfamiliar territory we decided to engage well-known cybersecurity research and consulting firm Trail of Bits who already partner with Atlassian on osquery feature development. Here at Atlassian our security team has extensive knowledge and experience in Java, NodeJS, Python, Golang and a few others, but we have very little expertise in C++ which is osquery’s main language. One way to reduce risk is by performing a security assessment to improve our confidence in the software we use. ![]() At Atlassian we believe in weighing the potential risks against the benefits and this is doubly true for software such as osquery which is deployed on nearly every workstation and server across our organisation. With any piece of software also comes risk, as it increases the attack surface available to an adversary. As such, it is critical to both our detection & incident response teams in keeping Atlassian and its customers secure. At Atlassian, we use osquery extensively in nearly all of our infrastructure to monitor hosts for potentially malicious activity as well as aid in investigations should an incident occur. Osquery is an open source tool that monitors systems and exposes their configuration through SQL tables.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |