Home / Companies / GitGuardian / Blog / September 2021

September 2021 Summaries

7 posts from GitGuardian

Filter
Month: Year:
Post Summaries Back to Blog
Open-source software has become a fundamental component of modern software development, with its integration into commercial applications recognized by the European Commission as a public good. However, its widespread use raises security and compliance concerns, as vulnerabilities can expose organizations to risks. While discussions often focus on consumer-side security measures, this text highlights the perspective of open-source maintainers like Bryan Van de Ven, co-creator of the Bokeh project, a Python library for data visualization. Bokeh, with over 2.5 million monthly downloads, faces threats such as typosquatting, compromised build pipelines, and threats to asset integrity, prompting maintainers to implement robust security practices. Tools like GitGuardian are employed to detect leaked credentials and prevent security breaches, ensuring the integrity of the software. As open-source projects continue to grow, maintaining security becomes crucial, requiring vigilance and innovative solutions to protect the software supply chain from malicious actors.
Sep 28, 2021 1,262 words in the original blog post.
Celebrating its 20th anniversary, the Open Web Application Security Project (OWASP) continues to be a pivotal open-source resource in web security, providing developers with vital methodologies, best practices, tools, and intelligence. Known for the widely-referenced OWASP Top Ten list that highlights critical web application vulnerabilities, the project has recently updated the list for the first time since 2017, marking a significant change by renaming "Sensitive Data Exposure" to "Cryptographic Failures" to better address the root causes of vulnerabilities. The Foundation is hosting a free 24-hour global event and actively encourages feedback and peer-reviews from the open-source community to continuously refine its resources. Over the past two decades, OWASP has significantly influenced the web security landscape, guiding developers through the complexities of evolving applications, and continues to inspire contributions from organizations like GitGuardian.
Sep 24, 2021 302 words in the original blog post.
GitGuardian has introduced Validity Checks for Internal Repositories Monitoring to enhance application security by allowing users to verify if leaked credentials are still valid. This feature enables prioritization of incident remediation, as valid exposed credentials pose a security threat and need immediate attention. Validity Checks work by using specific and generic detectors, which analyze the source code to identify secrets and then attempt to verify their validity through the least intrusive calls to associated services. The results can indicate whether a secret is valid, invalid, unverifiable, or unknown, aiding security teams in obtaining proof of revocation and enabling developers to confirm remediation actions. Although currently optimized for specific secrets, GitGuardian aims to extend validity checks to generic secrets by allowing users to configure custom endpoints, thus improving the monitoring process.
Sep 22, 2021 700 words in the original blog post.
Offensive security expert Philippe Caturegli emphasizes that no information is truly hidden from cybercriminals, who have the tools and intelligence to uncover sensitive data even when it's believed to be well-concealed. He highlights the common mistake of leaving sensitive information in development folders and stresses that anything accessible on a website should be considered public. Caturegli describes techniques used by attackers, such as Open Source Intelligence and DNS enumeration, to find hidden or forgotten information. He shares an example of exploiting a Java application's use of the Math.random function to generate predictable one-time passwords, illustrating the importance of protecting intellectual property and hardcoded secrets in code. He warns against underestimating the significance of any piece of information, as attackers often piece together multiple items to succeed. Social engineering remains a potent threat, particularly with profiles like sales reps or support teams who might inadvertently grant access. Caturegli advocates for a security approach focused on detection and early response, suggesting that security teams should not only prevent breaches but also implement alert systems to detect intrusions swiftly. He invites readers to follow his insights in the Red Team Chronicle through a newsletter or social media platforms.
Sep 15, 2021 606 words in the original blog post.
GitGuardian, a leading security app on the GitHub Marketplace, plays a crucial role in enhancing software security by preventing sensitive information leaks in code repositories. With over 110,000 GitHub users and 2.5 million repositories, the platform is designed to bridge the gap between application security and engineering teams, emphasizing a strong Developer Experience (DX). Users, from solo developers to larger teams, praise its real-time notification system for quickly identifying and managing secrets leaks, thereby minimizing security risks. While some users suggest improvements like deeper integration with version control systems and IDEs, the overall feedback highlights GitGuardian's importance in the increasingly critical area of secret detection and incident reporting. The company remains committed to educating developers about security risks and continuously improving its offerings based on community feedback.
Sep 10, 2021 659 words in the original blog post.
GitGuardian has introduced a new feature called Presence Checks for Internal Repositories Monitoring, which helps users verify whether leaked secrets are still present or completely removed from their git history. This tool works by making an API call to the version control system (such as GitHub, GitLab, or Bitbucket) to fetch the commit associated with a secret incident, allowing users to prioritize incidents and obtain proof of deletion. The feature is designed to provide security teams with up-to-date information on the status of secret occurrences, although it emphasizes that remediation should start with revoking and rotating the secret itself. GitGuardian aims to address alert fatigue by ensuring its notifications are meaningful and non-intrusive, and plans to introduce Validity checks in future updates to further enhance incident management.
Sep 08, 2021 718 words in the original blog post.
On May 12, 2021, the National Institute of Standards and Technology (NIST), under Executive Order 14028, initiated efforts to enhance U.S. cybersecurity by defining "critical software" and providing guidelines for its security, primarily targeting federal agencies but also expected to influence the broader software industry. Critical software, as defined by NIST, includes software with elevated privileges, direct access to network resources, control over data access, or those operating outside normal trust boundaries, making them potential targets for cyber threats. The guidelines emphasize protecting such software through measures like multi-factor authentication, data encryption, and network segmentation, and outline practices for software inventory maintenance, patch management, and incident response. The initiative aims to help businesses protect digital assets, particularly internet-facing applications, by fostering a robust cybersecurity framework, with future articles set to explore vendor testing standards for software source code.
Sep 02, 2021 1,276 words in the original blog post.