Security

Broadening compiler checks for buffer overflows in _FORTIFY_SOURCE

Broadening compiler checks for buffer overflows in _FORTIFY_SOURCE

Buffer overruns are by far the most common vulnerability in C or C++ programs, and a number of techniques have come up over the years to detect overruns early and abort execution. The _FORTIFY_SOURCE macro, provided by the GNU C Library, helps mitigate a number of these overruns and is widely deployed in Red Hat Enterprise Linux. This article on the Red Hat Security blog is a good introduction to _FORTIFY_SOURCE.

Continue reading Broadening compiler checks for buffer overflows in _FORTIFY_SOURCE

Share
Vulnerability analysis for Golang applications with Red Hat CodeReady Dependency Analytics

Vulnerability analysis for Golang applications with Red Hat CodeReady Dependency Analytics

Red Hat CodeReady Dependency Analytics, powered by Snyk Intel Vulnerability database, helps developers find, identify, and fix security vulnerabilities in their code. In the latest 0.3.2 release, we focused on supporting vulnerability analysis for Golang application dependencies, providing easier access to vulnerability details uniquely known to Snyk, and other user experience improvements.

Continue reading Vulnerability analysis for Golang applications with Red Hat CodeReady Dependency Analytics

Share
Securely connect Red Hat Integration Service Registry with Red Hat AMQ Streams

Securely connect Red Hat Integration Service Registry with Red Hat AMQ Streams

Red Hat Integration Service Registry is a datastore based on the Apicurio open source project. In my previous article, I showed you how to integrate Spring Boot with Service Registry. In this article, you’ll learn how to connect Service Registry to a secure Red Hat AMQ Streams cluster.

Continue reading Securely connect Red Hat Integration Service Registry with Red Hat AMQ Streams

Share
Get started with clang-tidy in Red Hat Enterprise Linux

Get started with clang-tidy in Red Hat Enterprise Linux

Clang-tidy is a standalone linter tool for checking C and C++ source code files. It provides an additional set of compiler warnings—called checks—that go above and beyond what is typically included in a C or C++ compiler. Clang-tidy comes with a large set of built-in checks and a framework for writing your own checks, as well.

Continue reading Get started with clang-tidy in Red Hat Enterprise Linux

Share
Security and management improvements in Red Hat JBoss Enterprise Application Platform 7.4 Beta

Security and management improvements in Red Hat JBoss Enterprise Application Platform 7.4 Beta

The Beta release of Red Hat JBoss Enterprise Application Platform 7.4 is now available. This release has been made in preparation for the general availability (GA) release later in 2021, and contains a number of new features and enhancements. This article offers a summary of the most important improvements and illustrates an easy way to get started with JBoss EAP.

Continue reading Security and management improvements in Red Hat JBoss Enterprise Application Platform 7.4 Beta

Share
X.509 user certificate authentication with Red Hat’s single sign-on technology

X.509 user certificate authentication with Red Hat’s single sign-on technology

This article illustrates how to configure a browser authentication flow using X.509 user-signed certificates. Once you have set up authentication using X.509 user-signed certificates, your users will not be required to enter a username and password when authenticating against Red Hat’s single sign-on technology (SSO). Instead, they will present an X.509 certificate to the SSO instance.

Continue reading X.509 user certificate authentication with Red Hat’s single sign-on technology

Share
Static analysis updates in GCC 11

Static analysis updates in GCC 11

The GNU logo.
I work at Red Hat on the GNU Compiler Collection (GCC). In GCC 10, I added the new -fanalyzer option, a static analysis pass for identifying various problems at compile-time, rather than at runtime. The initial implementation was aimed at early adopters, who found a few bugs, including a security vulnerability: CVE-2020-1967. Bernd Edlinger, who discovered the issue, had to wade through many false positives accompanying the real issue. Other users also managed to get the analyzer to crash on their code.

I’ve been rewriting the analyzer to address these issues in the next major release, GCC 11. In this article, I describe the steps I’m taking to reduce the number of false positives and make this static analysis tool more robust.

Continue reading “Static analysis updates in GCC 11”

Share
How to restrict user authentication in Keycloak during identity brokering

How to restrict user authentication in Keycloak during identity brokering

As per the design, Keycloak imports all users into its local database if the users are authenticated via any third-party identity provider (e.g., Google, Facebook, or Okta). But what if users authenticated through the third-party identity provider have to be restricted—or be allowed only limited access—to applications that are federated with Keycloak? Here’s how you do it.

Continue reading “How to restrict user authentication in Keycloak during identity brokering”

Share
Integrating Red Hat Single Sign-On version 7.4 with Red Hat Directory Server (LDAP)

Integrating Red Hat Single Sign-On version 7.4 with Red Hat Directory Server (LDAP)

This article describes the integration of Red Hat Single Sign-On (SSO) with Red Hat Directory Server 11 (LDAP). It also illustrates how it is possible to perform user synchronization and group synchronization between Red Hat Directory Server and Red Hat’s single sign-on tools.

Continue reading Integrating Red Hat Single Sign-On version 7.4 with Red Hat Directory Server (LDAP)

Share