shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.

Administered by:

Server stats:

271
active users

#devsecops

0 posts0 participants0 posts today

A critical Linux vulnerability (CVE-2025-32463) in Sudo lets any local unprivileged user gain root via the --chroot (-R) option

🔒 Affects default configs on Ubuntu, Fedora & others — no Sudo rules needed
🛠️ Fix: Update to Sudo 1.9.17p1+ (no workarounds)
👀 CVSS: 9.8 (Critical)

Highlights persistent risks in open-source privilege handling 🧩

cybersecuritynews.com/linux-su

#Linux #Sudo #FOSS #CyberSecurity #InfoSec #OpenSource #Vulnerability #Root #Exploit #SysAdmin #DevSecOps #Tech @TechNews

Cyber Security News · Linux Sudo chroot Vulnerability Enables Hackers to Elevate Privileges to RootA security vulnerability in the widely used Linux Sudo utility has been disclosed, allowing any local unprivileged user to escalate privileges. 

🔐Cybersecurity is now core to every technical role. DevOps. AppDev. SRE. Architects. Watch "Cybersecurity Skills: A Framework That Works" -- an on-demand webinar -- to learn how to close key security skill gaps for you and your teams.

🎥 Watch now: training.linuxfoundation.org/r

Linux Foundation - EducationCybersecurity Skills, Simplified: A Framework That WorksLearn you can leverage the cybersecurity skills framework for you team

If you’re the one who gets CVE alerts and has to convince others to take them seriously, this whitepaper might help. It has some with stats and positioning that can support your case for prioritizing vulnerability management.

Yeah, there’s a bit about how #Perforce #Puppet can help at the end, but there are good business case things on MTTR and breach risks too. Some links in there to some supporting reports from other sources, as well.

#DevSecOps #Cybersecurity

puppet.com/resources/vulnerabi

Is Node.js the future of backend development, or just a beautifully wrapped grenade?

Lately, I see more and more backend systems, yes, even monoliths, built entirely in Node.js, sometimes with server-side rendering layered on top. These are not toy projects. These are services touching sensitive PII data, sometimes in regulated industries.

When I first used Node.js years ago, I remember:
• Security concepts were… let’s say aspirational.
• Licensing hell due to questionable npm dependencies.
• Tests were flaky, with mocking turning into dark rituals.
• Behavior of libraries changed weekly like socks, but more dangerous.
• Internet required to run a “local” build. How comforting.

Even with TypeScript, it all melts back into JavaScript at runtime, a language so flexible it can hang itself.

Sure, SSR and monoliths can simplify architecture. But they also widen the attack surface, especially when:
• The backend is non-compiled.
• Every endpoint is a potential open door.
• The system needs Node + a fleet of dependencies + a container + prayer just to run.

Compare that to a compiled, stateless binary that:
• Runs in a scratch container.
• Requires zero runtime dependencies.
• Has encryption at rest, in transit, and ideally per-user.
• Can be observed, scaled, audited, stateless and destroyed with precision.

I’ve shipped frontends that are static, CDN-delivered, secure by design, and light enough to fit on a floppy disk. By running them with Node, I’m loading gigabytes of unknown tooling to render “Hello, user”.

So I wonder:
Is this the future? Or am I just… old?

Are we replacing mature, scalable architectures with serverless spaghetti and 12-factor mayhem because “it works on Vercel”?

Tell me how you build secure, observable, compliant systems in Node.js.
Genuinely curious.
Mildly terrified and maybe old.

The #KubeCon recordings are now on YouTube! We'll be posting links to all the #OpenPolicyAgent related ones as we watch them. First out is the #OPA maintainer track session, where @charlieegan3 and @anderseknert give a short introduction to OPA and Rego, followed by a deep-dive into recent performance improvements, and a sneak peek at the project roadmap. Check it out!

youtube.com/watch?v=XtA-NKoJDaI

🚨 AI Code Assistants: A Double-Edged Sword? 🚨

AI-powered coding tools are revolutionizing development workflows, but they come with hidden dangers:

🔹 Hallucinated Dependencies: AI suggests packages that don’t exist.
🔹 Slopsquatting Attacks: Malicious actors register these fake packages, leading to potential security breaches.
🔹 Automated Installation Risks: Some AI agents might auto-install these without developer awareness.
🔹 False Legitimacy: AI-generated summaries can falsely validate these malicious packages.

🛡️ Stay Vigilant: Always double-check AI-generated code and dependencies. Trust, but verify.

#AI #CyberSecurity #DevSecOps #SupplyChain #SoftwareDevelopment
theregister.com/2025/04/12/ai_

The Register · LLMs can't stop making up software dependencies and sabotaging everythingBy Thomas Claburn