While we don’t yet know all the details, the recent SolarWinds Orion compromise brings to light a key tenant of software distribution and secure systems; namely that signing software release packages in a secure fashion is absolutely paramount. But it also helps us realize there is no magic bullet for security, and defense-in-depth must be realized at all levels of the software development lifecycle.
Read MoreProtecting endpoints is hard. Understatement of the millennium, right?
Protecting unmanaged endpoints is even harder. Doubtful that surprises anyone.
Protecting mission-critical, unmanaged endpoints? Well, saying it's impossible is a stretch, but superlatives are warranted.
One of the most common goals in system security is maintaining system integrity. Knowing what is running (or can run) on the deployed system is critical, especially in embedded and unmanaged use cases.
Enterprise and managed endpoints are not immune from these concerns either.
The countless servers and devices that drive the modern world and economy require the same assurances; the difference being the enterprise world usually has more infrastructure and connectivity to achieve these goals.
If we roll back the clocks to early 2018, maintaining system integrity was already a…
Read MoreThe RPM package format, as used by RedHat Linux, CentOS and others provides multiple mechanisms for verifying package integrity and authenticity before installation. Mechanisms for integrity and authenticity include:
MD5 and SHA1 hashes of the rpm header (and optionally payload); and
GPG signatures of the package.
Suppose you have a very difficult threat model for your embedded system. Not only is your adversary technically skilled, but they are going to have physical access to your device.
Read More
