Red Hat Blog

Secure Boot technology is part of Unified Extensible Firmware Interface (UEFI) specification. It is a useful and powerful tool which can be used to improve boot time security of an operating system by only allowing trusted code to be executed on that system. The technology is not new—it was part of UEFI specification since v2.0 (2006), and it is extensively used by x86 hardware vendors today. In the cloud world, however, the technology only became available fairly recently:Google made Shielded VMs generally available in April, 2019Microsoft announced Trusted Launch general availability in No

Red Hat Advanced Cluster Security Cloud Service graduates from limited availability to general availability! This release allows customers to access a fully managed software-as-a-service to help protect their containerized applications across the full application lifecycle in any major cloud environment. With this announcement, Red Hat Advanced Cluster Security Cloud Service is now feature-complete and fully tested by Red Hat.We understand the need to move quickly and at scale in the application development lifecycle. With Advanced Cluster Security Cloud Service, the Red Hat team takes on the

Quantum and post-quantum, what does it mean?Quantum computing is an emerging technology that uses superposition, entanglement and interference to manipulate the state of a qubit (quantum bit) — this allows a quantum computer to evaluate multiple possibilities at the same time because it can hold the existence of opposing values in parallel (like Schrödinger’s cat experiment).This is exciting for the prospects it can provide in computing and at the same time terrifying in the volume of attacks and security breaches it could contribute to. Quantum computing will make attacks possible that a

In October 2023, Red Hat Product Security announced the publishing of Vulnerability Exploitability eXchange (VEX) files, in beta form, for every single CVE ID that is recorded in the Red Hat CVE Database. Since then, we have actively collected feedback from our customers and discussed the best implementation with security scanning vendors. With this valuable input, we have worked on improving the production version of the files.We are pleased to announce that the VEX files are now ready for public consumption in production use cases. You can find these files in the following location:https://a

Good cyber security practices depend on trustworthy information sources about security vulnerabilities. This article offers guidance around who to trust for this information.In 1999, MITRE Corporation, a US Government-funded research and development company, realized the world needed a uniform standard for reporting and tracking software security bugs. MITRE worked with the IT industry to invent a concept called CVE, for Common Vulnerabilities and Exposures. The CVE concept caught on, and today, the industry acknowledges CVE as the universal standard for security vulnerability reporting.Softw

In today's networked digital world, application programming interface (API) security is a crucial component in safeguarding private information and strengthening the integrity of online transactions. The potential for attack has increased dramatically as a result of the growing use of applications that depend on APIs to communicate across systems and services.It's also important to protect against malevolent actors who try to take advantage of API vulnerabilities for illegal access, data breaches and service interruptions. Strong API security measures are needed to establish trust, reduce risk

If you want to know what post-quantum cryptography is or why any one will care, see part 1 of my series.On August 24, 2023 the National Institute of Standards and Technology (NIST) published its first draft of post-quantum algorithms. The technologies behind those algorithms were described in part 2 (hash-based signatures) and part 3 (lattice-based cryptography) of this series.This leads to the question: If NIST already has serviceable post-quantum replacements for the Rivest-Shamir-Adleman (RSA) and Elliptic Curve Cryptography (ECC) algorithms, why would they need any other technology? The an

In the ever-evolving world of financial services, staying compliant, secure and efficient is paramount. Financial institutions are under constant pressure to manage risks, adhere to regulatory requirements and ensure operational consistency. With the advent of new technologies, the complexity of managing these requirements has increased, making traditional manual processes inadequate. This is where the future of automation--automated policy as code--comes into play, offering a transformative approach to complement your governance, risk management and compliance (GRC) procedures.What is automat

The State of Kubernetes Security for 2024 report shows us that as the popularity of Kubernetes grows, the more important security planning and tooling becomes. Our annual report examines some of the most common cloud-native security challenges and business impacts that organizations face today, helping us to better understand their practices and priorities.The report is based on a survey of 600 DevOps, engineering and security professionals around the world in organizations ranging from small companies to large enterprises. It delivers insights into the following:Specific security risks facing

Red Hat Enterprise Linux 9.4 introduces the ability for centrally managed users to authenticate through passwordless authentication with a passkey, meaning it's an enterprise Linux distribution with Fast Identity Online 2 (FIDO2) authentication for centrally managed users! This is all built on the Identity Management solution already in Red Hat Enterprise Linux, but enhances product security by enabling passwordless, Multi-Factor Authentication (MFA), and Single Sign-On (SSO).What is Passkey?A passkey is a FIDO2 compatible device that can be used for user authentication. FIDO2 is an open authe