Information Security & Occasional Forays Into Adjacent Realms
via Josh Pitts (a staff engineer at OKTA), and writing on the company blog, comes a well crafted explanatory piece on what he has discovered in the third-party-code-signing Apple Inc. (NasdaqGS: AAPL) debacle. So much for the highly touted (by Apple, that is) gatekeeping within Mac OSX (now known as macOS). Enjoy!
via the inimitable and funny Daniel Stori at turnoff.us
Tavis Ormandy (a member of Google’s Project Zero organization) has found, reported and the offending Grammarly code fixed by Grammarly (reportedly by Tavis) in record time). A small bit of advice for Grammarly, and others: Have your code thoroughly examined by systems adhereing to the OpenSAMM or SAMM model. It may save your hocks someday... Today's Must Read over at Graham Clueley's blog. Thanks Graham and Trey!
Laugh It Up, Sport
Cartoon by Rudy Lacovara at Angry .Net Developer
Meanwhile, in incompetent application security testing news, comes this astonishing example of blatant coding stupidity - Microsoft Corporation's (NasdaqGS: MSFT) crack team of questionable-capability-developers (have these people heard of fuzzers?) unleashed a deeply flawed Windows Defender product on millions of customers.
As luck would have it (if you believe in that sort of thing), the product was just patched months after the faulty codebase was wrapped-up-all-pretty-like. The flaw was discovered by security researcher Tavis Ormandy of Google Project Zero fame; his report (and closure of same) on 2017/06/23 is today's proof - at the very least - there are Security Researchers Doing The Right Thing.
