Author: Thomas Segura

The popularity of Kubernetes (K8s) as the defacto orchestration platform for the cloud is not showing any sign of pause. This graph, taken from the 2023 Kubernetes Security Report by the security company Wiz, clearly illustrates the trend:

As adoption continues to soar, so do the security risks and, most importantly, the attacks threatening K8s clusters. One such threat comes in the form of long-lived service account tokens. In this blog, we are going to dive deep into what these tokens are, their uses, the risks they pose, and how they can be exploited. We will also advocate for the use of short-lived tokens for a better security posture.

On Wednesday, July 19, the European Parliament voted in favor of a major new legal framework regarding cybersecurity: the Cyber Resilience Act (CRA).

According to the press release following the vote:

There has been a growing focus on the ethical and privacy concerns surrounding advanced language models like ChatGPT and OpenAI GPT technology. These concerns have raised important questions about the potential risks of using such models. However, it is not only these general-purpose language models that warrant attention; specialized tools like code completion assistants also come with their own set of concerns.

A year into its launch, GitHub’s code-generation tool Copilot has been used by a million developers, adopted by more than 20,000 organizations, and generated more than three billion lines of code, GitHub said in a blog post.

The WIZ Research team recently discovered that an overprovisioned SAS token had been lying exposed on GitHub for nearly three years. This token granted access to a massive 38-terabyte trove of private data. This Azure storage contained additional secrets, such as private SSH keys, hidden within the disk backups of two Microsoft employees. This revelation underscores the importance of robust data security measures.

What Happened?

WIZ Research recently disclosed a data exposure incident found on Microsoft’s AI GitHub repository on June 23, 2023.

Secrets, secrets, … and more secrets! You probably know that in an ever-expanding world of digital services, secrets are sprawling faster than ever. As security practitioners, we are expected to manage this ever-growing list of sensitive tokens, keys, and certificates with the same fluidity and with the same security guarantees, no matter the scale of operations.

Who Takes What?

The problem is that secrets management is still a major challenge for organizations, as highlighted by our recent State of Secrets in AppSec study, where 75% of respondents reported having experienced a past leak and less than half (48.1%) were completely confident in their capacity to prevent future leaks.

Because of the increasing number of cyberattacks, security has become an integral element of SDLC (Software Development Lifecycle). Secure software development is a requirement to protect software from cybercriminals and hackers, minimize any vulnerabilities, and maintain users’ privacy.

In this article, we’ll provide a checklist of the top secure development practices. The leading concepts are that the best developer security practices make security everybody’s responsibility and provide a software development environment that’s secure from the application’s inception to its release.

It is clear today that the year 2021 will go down in the annals of IT security as the year when organizations really became aware of their inevitable dependence on open-source, and more importantly, of the risks posed by unsupervised supply chains.

High-profile security incidents like the SolarWinds, Kaseya, and Codecov data breaches have shaken enterprises’ confidence in the security practices of third-party service providers.

Most developers hate doing things that could be automated.

As emphasized in this tweet, we often have to accept that we cannot do it. Fortunately, in the case of code reviews, a lot of things can indeed be automated. As my previous CTO told me once:

This article is the result of a collaboration with C.J. May.

“GitHub Actions keep me up at night. I worry that a malicious actor will use GitHub Actions to inject code into one of my repositories unbeknownst to me.”

Grayson Hardaway

In recent years, resorting to MSPs has become very popular for companies wanting to accelerate the digitization of their businesses. With this surge in popularity, MSPs are broadening their range of responsibilities and now face the question: how to ensure we can meet our cybersecurity responsibilities?

In this article, we will see why monitoring in real-time code-sharing platforms such as GitHub should be a top priority for any MSP.