Wednesday, May 12, 2021
Google

Integrating Rust Into the Android Open Source Project

Posted by Ivan Lozano, Android Security & Privacy TeamThe Android team has been working on introducing the Rust programming language into the Android Open Source Project (AOSP) since 2019 as a memory-safe alternative for platform native code development. As...
Google

Making the Internet more secure one signed container at a time

Posted by Priya Wadhwa, Google Open Source Security TeamWith over 16 million pulls per month, Google’s `distroless` base images are widely used and depended on by large projects like Kubernetes and Istio. These minimal images don’t include common tools...
Google

Enabling Hardware-enforced Stack Protection (cetcompat) in Chrome

Alex Gough, Engineer, Chrome Platform Security TeamChrome 90 for Windows adopts Hardware-enforced Stack Protection, a mitigation technology to make the exploitation of security bugs more difficult for attackers. This is supported by Windows 20H1 (December Update) or later, running...
Google

How we fought bad apps and developers in 2020

Posted by Krish Vitaldevara, Director of Product Management Trust & Safety, Google PlayProviding safe experiences to billions of users and millions of Android developers has been one of the highest priorities for Google Play for many years. Last year...
Google

A New Standard for Mobile App Security

Posted by Brooke Davis and Eugene Liderman, Android Security and Privacy TeamWith all of the challenges from this past year, users have become increasingly dependent on their mobile devices to create fitness routines, stay connected with loved ones, work...
Google

Rust in the Linux kernel

Posted by Wedson Almeida Filho, Android Team In our previous post, we announced that Android now supports the Rust programming language for developing the OS itself. Related to this, we are also participating in the effort to evaluate...
Google

Rust in the Android platform

Posted by Jeff Vander Stoep and Stephen Hines, Android Team Correctness of code in the Android platform is a top priority for the security, stability, and quality of each Android release. Memory safety bugs in C and C++...
Google

Announcing the Android Ready SE Alliance

Posted by Sudhi Herle and Jason Wong, Android Team When the Pixel 3 launched in 2018, it had a new tamper-resistant hardware enclave called Titan M. In addition to being a root-of-trust for Pixel software and firmware, it also...
Google

Announcing the winners of the 2020 GCP VRP Prize

Posted by Harshvardhan Sharma, Information Security Engineer, Google We first announced the GCP VRP Prize in 2019 to encourage security researchers to focus on the security of Google Cloud Platform (GCP), in turn helping us make GCP more secure for...
Google

Google, HTTPS, and device compatibility

Posted by Ryan Hurst, Product Management, Google Trust ServicesEncryption is a fundamental building block when you’re on a mission to organize the world’s information and make it universally accessible with strong security and privacy. This is why a little...
Google

A Spectre proof-of-concept for a Spectre-proof web

Posted by Stephen Röttger and Artur Janc, Information Security EngineersThree years ago, Spectre changed the way we think about security boundaries on the web. It quickly became clear that flaws in modern processors undermined the guarantees that web browsers...
Google

Continuing to Raise the Bar for Verifiable Security on Pixel

Posted by Eugene Liderman, Android Security and Privacy TeamEvaluating the security of mobile devices is difficult, and a trusted way to validate a company’s claims is through independent, industry certifications. When it comes to smartphones one of the most...
Google

#ShareTheMicInCyber: Brooke Pearson

Posted by Parisa Tabriz, Head of Chrome Product, Engineering and UX In an effort to showcase the breadth and depth of Black+ contributions to security and privacy fields, we’ve launched a profile series that aims to elevate and celebrate the...
Google

Fuzzing Java in OSS-Fuzz

Posted by Jonathan Metzman, Google Open Source Security TeamOSS-Fuzz, Google’s open source fuzzing service, now supports fuzzing applications written in Java and other Java Virtual Machine (JVM) based languages (e.g. Kotlin, Scala, etc.). Open source projects written in JVM...
Google

Introducing sigstore: Easy Code Signing & Verification for Supply Chain Integrity

Posted by Kim Lewandowski & Dan Lorenc, Google Open Source Security TeamOne of the fundamental security issues with open source is that it’s difficult to know where the software comes from or how it was built, making it susceptible to...
The Hacker News

Alert: Hackers Exploit Adobe Reader 0-Day Vulnerability in the Wild

Adobe has released Patch Tuesday updates for the month of May with fixes for multiple vulnerabilities spanning 12 different products, including a zero-day flaw affecting Adobe Reader that's actively exploited in the wild. The list of updated applications includes Adobe Experience Manager,...
The Register

Beijing twirls ban-hammer at 84 more apps it says need to stop slurping excess data

Online lending apps and more given fifteen days to ‘rectify’ behaviour China’s Central Cyberspace Affairs Commission has named 84 apps it says breach local privacy laws and given their developers 15 days to “rectify” their code.…
SecurityWeek

SAP Patches High-Severity Flaws in Business One, NetWeaver Products

SAP has released a total of six new security notes on its May 2021 Security Patch Day, along with updates for five other security notes, including three rated Hot News. read more
The Register

South Korea orders urgent review of energy infrastructure cybersecurity

No prizes for guessing why, as Colonial Pipeline outage stretches patience and looks like lasting a week South Korea’s Ministry of Trade, Energy and Infrastructure has ordered a review of the cybersecurity preparedness of the nation’s energy infrastructure.…
SecurityWeek

Ransomware Gang Threatens Release of DC Police Records

A Russian-speaking ransomware syndicate that stole data from the Washington, D.C., police department says negotiations over payment have broken down, with it rejecting a $100,000 payment, and it will release sensitive information that could put lives at risk if...