Red Hat Blog

Quantum and post-quantum, what does it mean?Quantum computing is an emerging technology that uses superposition, entanglement and interference to manipulate the state of a qubit (quantum bit) — this allows a quantum computer to evaluate multiple possibilities at the same time because it can hold the existence of opposing values in parallel (like Schrödinger’s cat experiment).This is exciting for the prospects it can provide in computing and at the same time terrifying in the volume of attacks and security breaches it could contribute to. Quantum computing will make attacks possible that a

In October 2023, Red Hat Product Security announced the publishing of Vulnerability Exploitability eXchange (VEX) files, in beta form, for every single CVE ID that is recorded in the Red Hat CVE Database. Since then, we have actively collected feedback from our customers and discussed the best implementation with security scanning vendors. With this valuable input, we have worked on improving the production version of the files.We are pleased to announce that the VEX files are now ready for public consumption in production use cases. You can find these files in the following location:https://a

Good cyber security practices depend on trustworthy information sources about security vulnerabilities. This article offers guidance around who to trust for this information.In 1999, MITRE Corporation, a US Government-funded research and development company, realized the world needed a uniform standard for reporting and tracking software security bugs. MITRE worked with the IT industry to invent a concept called CVE, for Common Vulnerabilities and Exposures. The CVE concept caught on, and today, the industry acknowledges CVE as the universal standard for security vulnerability reporting.Softw

In today's networked digital world, application programming interface (API) security is a crucial component in safeguarding private information and strengthening the integrity of online transactions. The potential for attack has increased dramatically as a result of the growing use of applications that depend on APIs to communicate across systems and services.It's also important to protect against malevolent actors who try to take advantage of API vulnerabilities for illegal access, data breaches and service interruptions. Strong API security measures are needed to establish trust, reduce risk

If you want to know what post-quantum cryptography is or why any one will care, see part 1 of my series.On August 24, 2023 the National Institute of Standards and Technology (NIST) published its first draft of post-quantum algorithms. The technologies behind those algorithms were described in part 2 (hash-based signatures) and part 3 (lattice-based cryptography) of this series.This leads to the question: If NIST already has serviceable post-quantum replacements for the Rivest-Shamir-Adleman (RSA) and Elliptic Curve Cryptography (ECC) algorithms, why would they need any other technology? The an

In the ever-evolving world of financial services, staying compliant, secure and efficient is paramount. Financial institutions are under constant pressure to manage risks, adhere to regulatory requirements and ensure operational consistency. With the advent of new technologies, the complexity of managing these requirements has increased, making traditional manual processes inadequate. This is where the future of automation--automated policy as code--comes into play, offering a transformative approach to complement your governance, risk management and compliance (GRC) procedures.What is automat

The State of Kubernetes Security for 2024 report shows us that as the popularity of Kubernetes grows, the more important security planning and tooling becomes. Our annual report examines some of the most common cloud-native security challenges and business impacts that organizations face today, helping us to better understand their practices and priorities.The report is based on a survey of 600 DevOps, engineering and security professionals around the world in organizations ranging from small companies to large enterprises. It delivers insights into the following:Specific security risks facing

The Marvin Attack is a new side-channel attack on cryptographic implementations of RSA in which the attacker decrypts previously captured ciphertext by measuring, over a network, server response times to specially crafted messages. The attacker also may forge signatures with the same key as the one used for decryption. Red Hat published the principles and technical background of the Marvin Attack in September of 2023.Since that time, we have identified lots of other vulnerable implementations and have shipped fixes. Note that most of the CVEs in applications that use OpenSSL have only received

Red Hat Enterprise Linux 9.4 introduces the ability for centrally managed users to authenticate through passwordless authentication with a passkey, meaning it's an enterprise Linux distribution with Fast Identity Online 2 (FIDO2) authentication for centrally managed users! This is all built on the Identity Management solution already in Red Hat Enterprise Linux, but enhances product security by enabling passwordless, Multi-Factor Authentication (MFA), and Single Sign-On (SSO).What is Passkey?A passkey is a FIDO2 compatible device that can be used for user authentication. FIDO2 is an open authe

Today we're excited to announce a new mechanism for admins to safely and easily customize an operating system deployment with highly refined needs while taking full advantage of the automation and power provided by Red Hat OpenShift. This means you don't have to second guess the need for special device drivers for uncommon hardware, system agents, or organizational demands that require more control over your host operating system.Red Hat OpenShift is designed to run on a wide variety of hardware and operational contexts. OpenShift runs so well in a variety of environments that admins rarely ne