IDEs allowing to spawn actions in the user environment are still a big security risk.

This is a nice application level sandboxing feature on Linux. We should probably have more applications use it.

Good list of hardening options indeed. That's a lot to deal with of course, let's hope this spreads and some defaults are changed to make it easier.

Interesting work from Apple and Google to have better hardening in libc++. It's nice to see it ripples through the upcoming C++26 standard as well.

Looks like an interesting tool to go with mise.

Git pre-commit hooks indeed bring nice benefits. Like everything else they're not a panacea though.

A very long read but contains lots of insights. Goes from two very famous security related failure, to highlighting how a test first approach could have helped. It then finishes with a long section on how to foster a testing culture in an organisation.

An old one but it shows quite well how social engineering works. It's often way more powerful than the technical defense you try to raise.

Interesting take. Indeed risks shouldn't be considered in isolation. They actually compound and that can add up fairly quickly.

Your digital life is secure? Good... now is it really safe? Can you recover in case of a catastrophic event?

Nice overview of where we stand regarding supply chain security. Code reuse has never been so widespread and we still have fundamental issues leading to security problems.

Unsurprisingly ends up with an advertisement for their own security tool. That said the vector used for the attack is interesting, with more npm like ecosystems available nowadays, should we expect to see more such attacks?

A good explanation of why you likely don't want a centralised package manager for your ecosystem.

Good idea to standardise this for vendors just like we do using CVEs for software components. This would definitely improve dealing with breaches.

Bad actors will go to great length to try to compromise your supply chain.

It's indeed surprising that this compromised npm account didn't lead to more damage. It's a good reminder that you better regularly audit what happens in your ecosystem.

This is quite a rant. Now I admit I'm not in love with passkeys and this piece shows quite well a lot of arguments against them.

Clearly Citrix is drowning as a product... How can people still trust the provider after such an episode?

Not every vulnerability reports are born equal... This can be a waste of time when the vulnerability is on the reporter end.

Unsurprisingly this ecosystem keeps being more and more closed.