Constant-Time Data Processing At a Secret Offset, Privacy and QUIC

Introduction NCC Group Cryptography Services team assessed security aspects of several implementations of the QUIC protocol. During the course of their reviews, the team found a number of recurrent cryptography side channel findings of arguably negligible privacy risk to users, across these implementations. However, repetition in itself makes these findings somehow worth having a deeper … Continue reading Constant-Time Data Processing At a Secret Offset, Privacy and QUIC

NIST Selects Post-Quantum Algorithms for Standardization

Last week, NIST announced some algorithms selected for standardization as part of their Post-Quantum Cryptography project. This is a good opportunity to recall the history of this process, observe its current state, and comment on the selected algorithms. It is important to remember that the process is not finished: round 4 has started, and should … Continue reading NIST Selects Post-Quantum Algorithms for Standardization

Mitigating the top 10 security threats to GCP using the CIS Google Cloud Platform Foundation Benchmark

As one of the proud contributors to the newest version of the CIS Google Cloud Platform Foundation Benchmark, I wanted to raise awareness about the new version release of this benchmark [1] by the Center for Internet Security (CIS) and how it can help a company to set a strong security baseline or foundation for … Continue reading Mitigating the top 10 security threats to GCP using the CIS Google Cloud Platform Foundation Benchmark

Shaking The Foundation of An Online Collaboration Tool: Microsoft 365 Top 5 Attacks vs the CIS Microsoft 365 Foundation Benchmark

As one of the proud contributors to the Center for Internet Security (CIS) Microsoft 365 Foundation Benchmark, I wanted to raise awareness about the new version release by the Center for Internet Security (CIS) released on February 17th, and how it can help a company to have a secure baseline for their Microsoft 365 tenant. … Continue reading Shaking The Foundation of An Online Collaboration Tool: Microsoft 365 Top 5 Attacks vs the CIS Microsoft 365 Foundation Benchmark

Investigating Potential Security Vulnerability Manifestation through Various Analyses & Inferences Regarding Internet RFCs (and how RFC Security might be Improved)

Overview RFCs have played a pivotal role in helping to formalise ideas and requirements for much of the Internet's design and engineering. They have facilitated peer review amongst engineers, researchers and computer scientists, which in turn has resulted in specification of key Internet protocols and their behaviours so that developers can implement those protocols in … Continue reading Investigating Potential Security Vulnerability Manifestation through Various Analyses & Inferences Regarding Internet RFCs (and how RFC Security might be Improved)

C Language Standards Update – Zero-size Reallocations are Undefined Behavior

[Editor's Note: Robert Seacord of NCC Group is a longstanding member of the C Standards Committee. In this blog post, he outlines a recently adopted change he proposed to the C Language Standard, to help eliminate double-free vulnerabilities being introduced to C code as a result of zero-sized reallocations of memory.] by Robert Seacord The … Continue reading C Language Standards Update – Zero-size Reallocations are Undefined Behavior

Exploring Verifiable Random Functions in Code

Verifiable Random Functions (VRFs) have recently seen a strong surge in popularity due to their usefulness in blockchain applications. Earlier I wrote about what VRFs are, where they can be used, and a few dozen things to consider when reviewing them. In this follow-on blog post, I am pleased to introduce actual working code that … Continue reading Exploring Verifiable Random Functions in Code

Improving Software Security through C Language Standards

This blog post describes my history with the C Standards Committee, the work standards organizations are currently doing in software security, and the future of NCC Group's work in improving software security by working with the C Standards Committee and other standardzation efforts. Past I became involved with the C Standards Committee (more formally, ISO/IEC … Continue reading Improving Software Security through C Language Standards