Tara from Sovereign Tech Agency and Hugo will be hosting the next 'Memory Safety in the EU' meeting in Amsterdam, on Tue 26 Aug (during #OSSummit).

The meeting aims to finalise a statement on the importance of memory safety for security by design. This is a joint effort by several European stakeholders to put memory safety on the agenda of both industry and policy makers.

Read more here: https://tweedegolf.nl/en/blog/160/update-on-our-advocacy-for-memory-safety

@tarakiyee
@sovtechfund

Vernetzte Geräte und Cybersicherheit: Viele Smart-Home-Produkte haben gravierende Sicherheitslücken, z.B. schwache Passwörter oder unverschlüsselte Datenübertragung. Neue EU-Funkrichtlinien ab 1. August sollen Standards verschärfen. Händler & Konsumenten sind gefragt! https://www.srf.ch/sendungen/kassensturz-espresso/espresso/cybersicherheit-fuer-zuhause-vernetzt-aber-sicher-neue-regeln-fuer-smarte-geraete #Cybersicherheit #SmartHome #SecurityByDesign #IoT #newz

2025 isn't the year to play catch-up with hackers.

As AI-powered threats evolve—from self-morphing malware to laser-targeted phishing—the only defense is a smarter, faster, risk-based approach to vulnerability management.

Discover how real-time asset discovery, AI-led prioritization, and automated remediation are transforming cybersecurity into a continuous, intelligent practice.

Don’t let outdated scans and manual patching hold you back.

Read the full guide: https://tsaaro.com/blogs/staying-ahead-of-hackers-your-guide-to-vulnerability-management-in-2025/

One of our founding directors, Mike Eftimakis, sat down with Akshaya Asokan from Information Security Media Group (ISMG) to explore how CHERI is helping tackle one of cybersecurity’s biggest challenges: memory safety.

CHERI (Capability Hardware Enhanced RISC Instructions) is a hardware-based approach to security, designed to prevent around 70% of today’s common vulnerabilities. Backed by industry leaders and the UK government, we're working to ensure global adoption across the electronics supply chain.

Watch the interview to learn more about:

How CHERI addresses memory safety issues
Common hardware supply chain vulnerabilities
Progress on adoption by chipmakers
Scalability challenges associated with CHERI

Watch the full interview: https://www.bankinfosecurity.com/uks-cheri-alliance-expands-to-global-hardware-supply-chain-a-28942

Right to repair, but not to fix security?

Framework’s philosophy empowers users to open, upgrade, and repair their devices. But with great openness comes a security catch.

On the Framework 13, pressing the chassis intrusion switch 10 times resets the BIOS, removing passwords, Secure Boot, and more.

We flagged this to Framework. Their response?
"It's a feature..."

That’s risky. This reset might help with recovery, but it also hands an attacker physical access to critical settings.

Kieran explains the issue, what this means for security, and how to protect your device.

Read here: https://www.pentestpartners.com/security-blog/framework-13-press-here-to-pwn/

Are Web Components & Cybersecurity A Better Combo?

I'm not trying to dunk on popular #UI #frameworks – I'm sure they're totally fine for #cybersecurity stuff, probably get loads of reviews and #audits.

But from my angle: Web Components are *native* to the #browser. Doesn't that just inherently reduce the risk of **#SupplyChainAttacks** (you know, like a rogue `npm install` on a bad network) for your #AppSecurity?

Or am I overthinking it, and the #framework choice is less important than the #browser, #OS, or #device running it? What are your thoughts, #DevCommunity?

---

Quick context: I've got a #ReactJS #messagingApp (repo here: https://github.com/positive-intentions/chat) and a separate #UIFramework (repo here: https://github.com/positive-intentions/dim) built with #Lit (which uses Web Components). I'm genuinely wondering if there's a compelling #cybersecurity reason to refactor the chat app to use my #WebComponent UI framework. Might be a whole new level of #SecurityByDesign for #FrontEndDev.

FYI, same question's on Reddit here: https://www.reddit.com/r/ExperiencedDevs/comments/1lmk1rg/are_web_components_better_for_cybersecurity/, got some good #insights, but want to make sure nothing's getting overlooked! Let's discuss #InfoSec #WebDev #JavaScript #OpenSource #TechQuestion.

IT-Security in komplexen Großprojekten – Vortrag auf der WINDFORCE Konferenz 2025

Wir freuen uns, dass unser Kollege Jan Grotelüschen gemeinsam mit Simon Gustafson, Information Security Manager der Amprion GmbH, auf der WINDFORCE Konferenz in Bremerhaven sprechen wird!

Datum: 18. Juni 2025
Zeit: 9:30 – 10:30 Uhr (Vortragszeit: 20 Minuten)
Themenblock: KRITIS

Thema des Vortrags:
„Anspruch und Realität: IT-Security in komplexen Großprojekten am praktischen Beispiel“
Am Beispiel der Offshore-Projekte BorWin/DolWin-4 sowie BalWin-1 und -2 geben die Referenten einen praxisnahen Einblick in die Herausforderungen und Erkenntnisse der IT-Security in Großprojekten.

Schwerpunkte des Vortrags:
Überblick über relevante IT-Security-Regularien (EU-weit & national)
Regulatorische Anforderungen für Betreiber, Hersteller und Integratoren
Einblick in NIS-2, RCE, CRA, IT-SiG 2.0
Lessons Learned aus den Phasen: Vorbereitung, Ausschreibung, Design & Implementierung

Mehr zur WINDFORCE Konferenz: https://windforce.info/windforce-2025/program/

Wir freuen uns auf spannende Diskussionen und den Austausch mit Fachkollegen!

ICYMI: “Every TWINSCAN EUV ships with ~45 million lines of code […] Bugfixes and features start out as *word documents* sent to a series of review boards…”
https://alecmuffett.com/article/113264
#SecurityByDesign #SoftwareEngineering #bugs

*Last Call*

I have a #PhD position for UK students, available with myself and @bentnib

This project will be looking at developing new methods for asserting the resilience of existing communicating systems by developing new static analysis methods derived from advanced programming language research.

*Hard Deadline*: Wednesday 16th April 2025

You will belong to @StrathCyber and @mspstrath, as well as gaining access to @spli

https://www.strath.ac.uk/studywithus/postgraduateresearchphdopportunities/science/computerinformationsciences/towardstype-drivenassuranceofcommunicatingsystems/

(Ignore the deadline on the advert)

Please spread the words.

I have a funded #PhD position for UK students, available with myself and @bentnib

This project will be looking at developing new methods for asserting the resilience of existing communicating systems by developing new static analysis methods derived from advanced programming language research.

Deadline: Thursday 20th March 2025

You will belong to @StrathCyber and @mspstrath, as well as gaining access to @spli

For now more details about the project are on my personal website.

https://tyde.systems/page/position/2025-jarss/

Please spread the words.

Es kommt auf Hersteller und Entwickler an, um die Cyberesilienz in Deutschland und Europa zu stärken. Als BSI unterstützen wir euch in Sachen #CyberResilienceAct. Weitere Infos zum #CRA liefert euch der aktuelle Lagebericht zur IT-Sicherheit in Deutschland: https://bsi.bund.de/Lagebericht sowie unsere Webseite https://www.bsi.bund.de/dok/CRA, die auch zu den Handreichungen führt.

Wir waren Teil der 5G.NRW-Jahreskonferenz. Hier kamen Expertinnen und Experten aus Forschung, Wirtschaft und Politik zusammen, um über Chancen und Herausforderungen von #5G und #6G zu diskutieren.

Unsere Präsidentin Claudia Plattner legte in ihrer Keynote einen klaren Fokus auf #Cybersecurity, Resilienz und Souveränität: Wir brauchen dringend #SecuritybyDesign – nur so können wir eine zukunftsfähige und vertrauenswürdige digitale Infrastruktur schaffen, die uns allen nachhaltig dient.

#EuGoingDark – 's clandestine #surveillance plan is about to be finalized:

15 Nov.: final meeting
27 Nov.: presentation of final report

→ @andre_meister has a new document: https://chaos.social/@andre_meister/113361602775442149

Overview of the plan: https://www.patrick-breyer.de/en/posts/going-dark-expert-group-eus-surveillance-forge/
#DataRetention
" #SecurityByDesign "
access to devices
undermining #encryption #e2ee

Mich wundert https://www.heise.de/news/Studie-Technik-geraet-zunehmend-in-den-Fokus-von-Verschwoerungstheorien-9818483.html überhaupt nicht. Solange Firmen nicht Klartext reden und a) #SecuritybyDesign nutzen und b) deutlich machen _welche_ Daten sie zu _welchem_ Zweck sammeln und diese Behauptung dann nachweisbar ist (alles andere ist FUD und Versprechen wurden oft genug gebrochen) ist es klar, das Menschen der Technologie misstrauen.

Is het misschien toch niet zo'n slecht idee om een computer te gebruiken met een OS dat veilig is vanuit het ontwerp, zoals open source #Linux? Dan is beveiligings-software niet eens nodig #crowdstrikefalcon #MSWindowsServers #Microsoftcloud #SecurityByDesign

Termintipp: #CRA - welche grundlegenden Anforderungen müssen Produkte mit digitalen Elementen für den Cyber Resilience Act erfüllen? Unser Experte Steven Arzt gibt einen Überblick in der #LunchLecture am 3.7. von 12 - 12.30 Uhr.
Für Hersteller, Produktentwickler und alle, die sich für den Cyber Resilience Act interessieren.

Hier geht es zur kostenfreien Anmeldung https://www.athene-center.de/aktuelles/veranstaltungen/lunch-lectures-zum-cra-mindest-sicherheits-anforde-1763
#SecurityByDesign #CRA #LunchLecture

#xz attack: Unknown persons attempted to install a global, highly dangerous backdoor in IT systems.

Beware: The Commission is planning "legal" backdoors for devices & apps! PR-speak: #AccessByDesign / #SecurityByDesign
https://home-affairs.ec.europa.eu/document/download/17739cd7-098e-4df3-8f41-37be73560086_en?filename=HLG-WG1-background-document-05122023_en.pdf @GreensEFA
More: #EUGoingDark

Unbekannte wollten mit dem #xz-Angriff eine globale, brandgefährliche Hintertür in IT-Systeme einbauen.

Vorsicht: Die -Kommission plant "legale" Hintertüren f. Geräte & Apps! PR-Sprech: #AccessByDesign / #SecurityByDesign
https://home-affairs.ec.europa.eu/document/download/17739cd7-098e-4df3-8f41-37be73560086_en?filename=HLG-WG1-background-document-05122023_en.pdf
Mehr: #EUGoingDark

@euractiv_tech brief:

„… [ The #EUGoingDark ] group ] …, was engaging in consultations with [NGOs], according to a post by the #PirateParty. MEP @echo_pbreyer noted that the group 'should be dissolved' because 'undemocratic preliminary negotiations are conducted' by them 'with the predefined goal to re-introduce EU-wide blanket #DataRetention of citizen’s communications data, to undermine secure #encryption and to introduce the #SecurityByDesign -concept'.“
https://www.euractiv.com/section/digital/news/eu-commission-opens-formal-investigation-into-tiktok-orange-masmovil-merger-approved/