Home / Companies / GitGuardian / Blog / August 2021

August 2021 Summaries

7 posts from GitGuardian

Filter
Month: Year:
Post Summaries Back to Blog
Danny, the Chief Information and Security Officer at a healthcare tech company, highlights the significant benefits his organization has gained from using GitGuardian Internal and Public Monitoring tools, particularly in enhancing productivity and drastically reducing remediation time. By allowing authors to address issues before reaching reviewers, the tools have improved visibility and cut remediation time from days to mere minutes or hours, marking an 85 percent improvement. Danny emphasizes the critical importance of secrets detection in application security programs, noting that automated detection adds a valuable layer of protection, especially for teams with varying experience levels. He praises the stability, scalability, and ease of deployment of GitGuardian, describing the integration process as swift and straightforward, with the product intelligently surfacing relevant information without causing an overload of false positives. Encouraging others to adopt GitGuardian, Danny asserts that its ease of integration and immediate value can be quickly realized through test scenarios, and he notes that it is available for free for individual developers or small teams.
Aug 25, 2021 449 words in the original blog post.
Docker images, commonly used for software deployment due to their portability, pose a significant security risk as they often contain hidden sensitive information, or "secrets," such as API keys and credentials. These secrets can originate from the source code embedded within the images or from the Dockerfile configuration itself, potentially bypassing security checks if not managed properly. GitGuardian's research revealed that 7% of public Docker images contain such secrets, a lower percentage than found in public source code, yet still significant enough to necessitate concern. The layered structure of Docker images can obscure secrets, making them hard to detect, which is why GitGuardian has developed a dedicated secret scanner to find and address these vulnerabilities. Although security practices can mitigate some risks, automated scanning is recommended for comprehensive protection, and GitGuardian provides tools like the Docker image scanner in CI environments to help secure Docker images.
Aug 23, 2021 1,507 words in the original blog post.
Black Hat 2021, a major cybersecurity event, highlighted the increasing threat of supply chain and ransomware attacks over the past year, emphasizing their economic implications. Keynote speakers like Jeff Moss and Matt Tait discussed how these attacks are altering the cybersecurity landscape by changing the economics for attackers, enabling them to target a vast range of organizations through supply chain vulnerabilities. The conference also addressed the rising risks for small and medium-sized businesses, as attackers exploit supply chain weaknesses to access these less-defended targets. Tim Mackey explained the complexity of the software supply chain, illustrating how multiple layers of dependencies can create vulnerabilities. The event underscored the need for collaboration between government and private sectors, with initiatives like the Joint Cyber Defense Collaborative (JC/DC) aiming to tackle these challenges. The conference concluded with a call to action for enhanced cooperation to address the evolving cyber threat environment.
Aug 16, 2021 1,941 words in the original blog post.
Tiexin Guo, a Senior DevOps Consultant at Amazon Web Services, shares insights on building a modern CI pipeline using GitHub Actions, focusing on testing, building, and pushing Docker images while ensuring security through GitGuardian's ggshield action. He recounts his experience in an agile team managing over 25 microservices and facing the challenges of adding a new stage to an existing CI pipeline characterized by its complexity and monolithic structure. The article provides a step-by-step guide to constructing a declarative CI pipeline, demonstrating the use of Golang for building a demo app, utilizing Docker multi-stage builds, and implementing GitHub Actions for efficient and secure CI workflows. It emphasizes the importance of security by integrating secret scanning into the CI pipeline and highlights the advantages of a daemon-less Docker build using tools like Kaniko and Podman, which align with OCI standards to enhance security in containerized CI environments.
Aug 10, 2021 2,757 words in the original blog post.
Static and Dynamic Application Security Testing (SAST and DAST) are established methods in application security, often used to secure software during the software development lifecycle (SDLC). SAST involves analyzing source code for vulnerabilities without executing the program, while DAST tests the application from the outside, mimicking real-world attacks. Despite their complementary roles, these methods have limitations, such as false positives in SAST and the high cost and late-stage execution of DAST. As the development landscape evolves with DevOps and Agile practices, new security approaches like Software Composition Analysis, Interactive Application Security Testing, and Runtime Application Self-Protection are emerging to address modern threats. One significant challenge highlighted is the issue of hardcoded secrets in source code, which traditional SAST and DAST cannot adequately detect. This has led to the development of automated secrets detection tools, which aim to identify and manage secrets across both internal and external assets, acknowledging the dynamic and collaborative nature of current software development practices.
Aug 06, 2021 1,604 words in the original blog post.
GitGuardian has launched on the GitHub Marketplace, securing the top spot in the Security Category, and aims to streamline its integration with GitHub accounts for enhanced monitoring of repositories for hardcoded credentials. The app automatically scans new and historical commits for leaked credentials, providing users with a comprehensive view of their repository's security health. GitGuardian offers free access to its monitoring services for individual developers, open-source projects, and teams of up to 25 developers. GitHub Marketplace facilitates easy access to GitGuardian, where developers can install and authorize the app to secure their code against vulnerabilities. GitGuardian, a cybersecurity startup, addresses the issue of secrets sprawling in source code by automating secrets detection to bolster application security and data loss prevention, assisting developers and security professionals globally in safeguarding software development and enforcing security policies.
Aug 05, 2021 488 words in the original blog post.
Shimon Brathwaite discusses the ongoing efforts of the National Institute of Standards and Technology (NIST) to develop standards for secure coding practices aimed at mitigating security vulnerabilities in software. NIST, a part of the US Department of Defense, plays a crucial role in establishing cybersecurity standards and is now focusing on expanding its expertise into secure coding to prevent vulnerabilities like cross-site scripting and SQL injections. This initiative is aligned with a risk-based approach, which considers the specific threats an organization might face and suggests appropriate controls to enhance software security throughout the Software Development Lifecycle (SDLC). The new standards aim to reduce development delays, address root causes of vulnerabilities, and improve collaboration between development, operations, and security teams. NIST is also working on creating both high-level international standards and practical guidelines that companies can implement to ensure secure software development. This effort is part of a broader government mandate to enhance cybersecurity, as highlighted by Executive Order 14028, which focuses on securing the software supply chain.
Aug 04, 2021 1,175 words in the original blog post.