Hi there!

Decentralization sounds simple until you realise every node acts on its own. In a blockchain each node holds its own copy of the ledger and processes data independently. Nodes see transactions at different times, some go offline, some behave incorrectly and some may try to cheat. Without a way to agree the network would split into a thousand truths. Consensus is what keeps all those independent nodes and all those independent ledgers marching in the same direction....

If you’re still asking ‘Why do I even need to learn Blockchain security?’ No worries. I wrote this blog to answer exactly that. Give it a read, then come back and we’ll dive into Blockchain 101 together. Now that you are here, let’s start by understanding what is Blockchain? But wait, a bit of warning, there is way too much text in the entire blog - I tried putting some AI generated images (which make sense for the blog), but they also were not able to do much, so all the best!...

In the world of AI, I’m gonna go rebel and talk about Blockchains. Why? Because I’ve been learning and tinkering with it, and I thought it’d be fun to share. Honestly, this is as much for my own notes as it is for anyone reading. Blockchain isn’t as shiny as AI right now, but it’s still a big deal. Here’s the thing: blockchain is too important to ignore, but too risky to approach without understanding security....

Most shell scripts start innocent, just a few lines to glue things together. Blink twice, and it’s deploying infrastructure, rotating secrets, restarting servers, and possibly provisioning a small nation-state. It’s doing things for the people, by the people, held together by echo. This isn’t another “bash scripting 101” tutorial. You already know how to loop over a list and grep things. This is about writing scripts that survive real-world conditions: bad input, missing dependencies, flaky networks, and humans....

This issue complicates the open source and supply chain security space. For attacks like xz, such strategies can be used by attackers to build “fake” trust among fellow OSS community members. A few days ago, this discussion ignited in the OSSF Slack , which talked about the issue of credibility farming in several open source repositories. So, the issue revolves around GitHub (or equivalent platforms) accounts approving or commenting on old pull requests and issues that were already resolved or closed, where these meaningless contributions show up prominently on the user’s profile and activity feed, making their involvement seem more significant than it actually is, without closer look....

GitHub Repository xz (Suspended) Source Code https://git.tukaani.org/?p=xz.git Threat Actor Jia Tan (GitHub) CVE Number CVE-2024-3094 (CVSS 10.0) Vulnerability Type Remote Code Execution Attack Category Social Engineering, Supply Chain Attack What does xz module do? XZ Utils is a set of free and open-source data compression utilities that provide high compression ratios and fast decompression....

Disclaimer: Just a heads up, while we’re diving into ways to tackle the problem of dependency depreciation, there’s no one-size-fits-all solution here. It’s a bit of a wild ride dealing with supply chain security and those pesky deprecated dependencies, so don’t expect a quick fix! The issue of using deprecated dependencies has persisted for quite some time, and it’s gaining increased attention. Many projects continue to incorporate deprecated dependencies. I was inspired to write this blog after coming across a LinkedIn post by Rory McCune and several other posts over the past few weeks....

While perusing StackOverflow's 2023 Developer Survey (yes, we developers have our own version of celebrity gossip), I couldn’t help but notice that our trusty VSCode is still riding high as the undisputed IDE champ. With a whopping 73% of the developer vote, it’s safe to say that VSCode has firmly planted its flag. But, like any superstar, it’s not immune to the spotlight’s glare, especially when it comes to security. And in this blog, we’ll explore the security aspects that every VSCode user should consider....

In vulnerability scanners or penetration testing reports, you might come across statements like “Service version x.y.z is vulnerable to CVE-YYYY-ABCD." However, it’s essential to delve deeper to confirm the actual vulnerability. Let’s consider a real example: We received a vulnerability report indicating a vulnerability ( CVE-2023-23916 ) in curl v7.74.0 within the Debian 11 environment. The CVE documentation mentions: Affected versions: curl 7.57.0 to and including 7.87.0 At first glance, it appears that v7....

In this blog post, we are going to talk about different components used in Kubernetes and what purpose each component serve. We will be talking about the following - Pods Service Ingress ConfigMap Secret Deployment StatefulSet ReplicaSet DaemonSet Use-case that will be used througout the blog will be hosting a web application with application code and database in different pods. Before starting this blog, if you want to learn about the underlying concepts - Read “Kubernetes Concept”...