Buffer overruns are by far the most common vulnerability in C or C++ programs, and a number of techniques have come up over the years to detect overruns early and abort execution. The
_FORTIFY_SOURCE macro, provided by the GNU C Library, helps mitigate a number of these overruns and is widely deployed in Red Hat Enterprise Linux. This article on the Red Hat Security blog is a good introduction to
Continue reading Broadening compiler checks for buffer overflows in _FORTIFY_SOURCE
Red Hat CodeReady Dependency Analytics, powered by Snyk Intel Vulnerability database, helps developers find, identify, and fix security vulnerabilities in their code. In the latest 0.3.2 release, we focused on supporting vulnerability analysis for Golang application dependencies, providing easier access to vulnerability details uniquely known to Snyk, and other user experience improvements.
Continue reading Vulnerability analysis for Golang applications with Red Hat CodeReady Dependency Analytics
Clang-tidy is a standalone linter tool for checking C and C++ source code files. It provides an additional set of compiler warnings—called checks—that go above and beyond what is typically included in a C or C++ compiler. Clang-tidy comes with a large set of built-in checks and a framework for writing your own checks, as well.
Continue reading Get started with clang-tidy in Red Hat Enterprise Linux
The Beta release of Red Hat JBoss Enterprise Application Platform 7.4 is now available. This release has been made in preparation for the general availability (GA) release later in 2021, and contains a number of new features and enhancements. This article offers a summary of the most important improvements and illustrates an easy way to get started with JBoss EAP.
Continue reading Security and management improvements in Red Hat JBoss Enterprise Application Platform 7.4 Beta
This article illustrates how to configure a browser authentication flow using X.509 user-signed certificates. Once you have set up authentication using X.509 user-signed certificates, your users will not be required to enter a username and password when authenticating against Red Hat’s single sign-on technology (SSO). Instead, they will present an X.509 certificate to the SSO instance.
Continue reading X.509 user certificate authentication with Red Hat’s single sign-on technology
I work at Red Hat on the GNU Compiler Collection (GCC). In GCC 10, I added the new
-fanalyzer option, a static analysis pass for identifying various problems at compile-time, rather than at runtime. The initial implementation was aimed at early adopters, who found a few bugs, including a security vulnerability: CVE-2020-1967. Bernd Edlinger, who discovered the issue, had to wade through many false positives accompanying the real issue. Other users also managed to get the analyzer to crash on their code.
I’ve been rewriting the analyzer to address these issues in the next major release, GCC 11. In this article, I describe the steps I’m taking to reduce the number of false positives and make this static analysis tool more robust.
Continue reading “Static analysis updates in GCC 11”
When it comes to the container world, it is common to have an application deployed to a cluster that needs to be secured. In this article, I will show you how to enable HTTPS and SSL termination for a Quarkus application that is running in Red Hat OpenShift.
Continue reading How to enable HTTPS and SSL termination in a Quarkus app
As per the design, Keycloak imports all users into its local database if the users are authenticated via any third-party identity provider (e.g., Google, Facebook, or Okta). But what if users authenticated through the third-party identity provider have to be restricted—or be allowed only limited access—to applications that are federated with Keycloak? Here’s how you do it.
Continue reading “How to restrict user authentication in Keycloak during identity brokering”
This article describes the integration of Red Hat Single Sign-On (SSO) with Red Hat Directory Server 11 (LDAP). It also illustrates how it is possible to perform user synchronization and group synchronization between Red Hat Directory Server and Red Hat’s single sign-on tools.
Continue reading Integrating Red Hat Single Sign-On version 7.4 with Red Hat Directory Server (LDAP)