shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.

Administered by:

Server stats:

269
active users

#SecureByDesign

1 post1 participant0 posts today

👋 Hey infosec.exchange! We’re the CHERI Alliance — excited to join the community!

🔐 We’re all about CHERI (Capability Hardware Enhanced RISC Instructions) — a powerful hardware-based approach to making memory safety and software security actually enforceable, by design.

💡 CHERI helps stop things like buffer overflows and use-after-free bugs before they cause trouble — with hardware-enforced protections built right into the architecture.

We’re here to:
- Share news about the CHERI community in general
- Talk about what our members are building with CHERI
- Connect with folks who care about deep, meaningful security improvements
Check us out 👉 cherialliance.org

Give us a follow if this sounds like your kind of thing!

Today we're switching the bzip2 crate from C to 100% rust!
The bzip2 crate is now memory-safe, faster and easier to cross-compile.

trifectatech.org/blog/bzip2-cr

Thanks to: @alex_crichton, @ros , and @nlnet

This project was funded through the e-Commons Fund, a fund established by NLnet Foundation with financial support from the @minbzk .

trifectatech.orgbzip2 crate switches from C to 100% rust - Trifecta Tech Foundation

Is Node.js the future of backend development, or just a beautifully wrapped grenade?

Lately, I see more and more backend systems, yes, even monoliths, built entirely in Node.js, sometimes with server-side rendering layered on top. These are not toy projects. These are services touching sensitive PII data, sometimes in regulated industries.

When I first used Node.js years ago, I remember:
• Security concepts were… let’s say aspirational.
• Licensing hell due to questionable npm dependencies.
• Tests were flaky, with mocking turning into dark rituals.
• Behavior of libraries changed weekly like socks, but more dangerous.
• Internet required to run a “local” build. How comforting.

Even with TypeScript, it all melts back into JavaScript at runtime, a language so flexible it can hang itself.

Sure, SSR and monoliths can simplify architecture. But they also widen the attack surface, especially when:
• The backend is non-compiled.
• Every endpoint is a potential open door.
• The system needs Node + a fleet of dependencies + a container + prayer just to run.

Compare that to a compiled, stateless binary that:
• Runs in a scratch container.
• Requires zero runtime dependencies.
• Has encryption at rest, in transit, and ideally per-user.
• Can be observed, scaled, audited, stateless and destroyed with precision.

I’ve shipped frontends that are static, CDN-delivered, secure by design, and light enough to fit on a floppy disk. By running them with Node, I’m loading gigabytes of unknown tooling to render “Hello, user”.

So I wonder:
Is this the future? Or am I just… old?

Are we replacing mature, scalable architectures with serverless spaghetti and 12-factor mayhem because “it works on Vercel”?

Tell me how you build secure, observable, compliant systems in Node.js.
Genuinely curious.
Mildly terrified and maybe old.

*Last Call*

I have a #PhD position for UK students, available with myself and @bentnib

This project will be looking at developing new methods for asserting the resilience of existing communicating systems by developing new static analysis methods derived from advanced programming language research.

*Hard Deadline*: Wednesday 16th April 2025

You will belong to @StrathCyber and @mspstrath, as well as gaining access to @spli

strath.ac.uk/studywithus/postg

(Ignore the deadline on the advert)

Please spread the words.

www.strath.ac.ukTowards Type-Driven Assurance of Communicating Systems | University of Strathclyde

Hey, legit impressed by Fortinet's changes to improve patching speed and adoption rates.

fortinet.com/blog/industry-tre

They did two big things:

  1. Separated bugfix vs feature releases, to help operational teams manage risk and reduce patching friction

  2. Created an "auto update" option in specific controlled circumstances

Data-driven, too - graphs, etc. show that the changes have real security value.

Needed some good news today!

Fortinet Blog · Fortinet’s Secure-by-Design Commitments: Making Measurable Progress in Cybersecurity | Fortinet BlogFortinet is proud to be an early signer of CISA’s Secure By Design Pledge. This post highlights the progress we’re making toward that commitment. Learn more.…

Tomorrow morning I will be giving the keynote for Microsoft BlueHat Conference. I first stepped onto the Microsoft campus in 2002 as a consultant to help build IIS 6.0 (Windows web server) securely. Tomorrow I will talk about how hackers first pointed out the need for vendors to secure software products during development and then later worked with developers to build products more securely. #SecureByDesign is a 20+ year old idea.

My new post maps the new CISA et al guidance on security-by-design and by-default to my new book that is out now (and omg breaking news it's officially out!!!!): kellyshortridge.com/blog/posts

the tl;dr is that if you want to understand more of the "why" but also learn the "how" to implement #SecureByDesign and #SecureByDefault in practice, read these chapters:
* Chapter 3: Architecting & Designing
* Chapter 4: Building & Delivering
* Chapter 7: Platform #Resilience Engineering

Kelly ShortridgeSecurity-by-Design and by-Default: Sustaining Software ResilienceThis post maps the new guidance from CISA, the FBI, the NSA, and other countries’ cybersecurity authorities to sections in my new book - Security Chaos Engineering: Sustaining Resilience in Software and Systems.

Secure-by-design systems - shrink the target.

• Rust - memory safety mistakes in your code cannot be used as a target.

• Sigstore - library & container dependencies cannot be used as a target.

• Ockam - systems that transport/store your data cannot be used as a target.

Drastically shrinking the target (your app's vulnerability surface) is the only practical approach to security for modern applications.