Severity analysis of vulnerabilities by experts from the information security industry is rarely based on real code review. In the ‘Badlock’ case, most read our CVE descriptions and built up a score representing a risk this CVE poses to a user. There is nothing wrong with this approach if it is done correctly. CVEs are analyzed in isolation; as if no other issue exists. In the case of a ‘Badlock‘ there were eight CVEs. The difference is the fact that one of them was in a foundational component used by most of the code affected by the remaining seven CVEs. That very specific CVE was
Continue reading “How Badlock Was Discovered and Fixed”
As many specialists in the security world know – the RSA Security Conference is one of the biggest security conferences in North America. This year it was once again held in San Francisco at the Moscone Center. Every year the conference gets bigger and bigger, bringing in more and more people and companies from all over the world.
If you attended – you may have noticed that Red Hat had a booth this year. Located in the corner of the main expo floor (not far from some of the “big guys” like: IBM, Microsoft, EMC, CA Technologies, and Oracle) we were in a great location – receiving no shortage of traffic. In fact, despite staffing the booth with six Red Hatters we didn’t have any “down time” – everyone seemed to be interested in what Red Hat has to offer in security.
Over the course of the conference I made a few interesting observations…
Continue reading “RSA Security Conference 2015 in Review: Three Observations”