Tiexin Guo Senior DevOps Consultant, Amazon Web Services Author | 4th Coffee On March 29, which seemed to be another normal Friday, a Microsoft developer shocked the world by revealing an XZ Utils (data-compression utilities) backdoor. This backdoor could potentially enable unauthorized access via SSH and remote code execution (read the full story here). But wait a minute, because how on earth does compression have anything to do with SSH access? Short answer: dependencies. Part of the XZ Utils is a compression library liblzma, which isn't used directly by OpenSSH, but Debia ..read more

Directly East of Orlando, Florida, sits the Kennedy Space Center. Home to one of the largest buildings on earth, covering 8 acres, it is best known as NASA's primary launch center of American spaceflight. The location is surrounded by the beautiful Merritt Island National Wildlife Refuge, home to many bird species, which makes it the perfect home for a museum and science center devoted to learning about our advances in flight and space travel. It was at the KCS Center for Space Education that cybersecurity professionals gathered to advance their skills and share knowledge at HackSpaceCon 2024 ..read more

C.J. May Information security professional and passionate programmer with broad interests encompassing many areas of IT. Twitter | GitHub This is the second blog post in a series that is taking a deep dive into DevSecOps program architecture. The goal of this series is to provide a holistic overview of DevSecOps as a collection of technology-driven, automated processes. If you didn’t read the first blog post, make sure to check that out too!  This entry will be less about the “decision-making” side of things, and more about the developer experience. We will learn how to equip our ..read more

When choosing software for a project, developers have a number of factors to consider. Prime on the list is if it can accomplish a particular function and help them get their project to production faster. Hopefully, they are also considering the security implications of any components they choose, looking at how widely used they are and how well they are being maintained.  One factor that commonly gets overlooked is how those components are licensed. It could be easy to think, "They are freely available on GitHub and in package managers like PyPI and npm, so they must all be OK to use. R ..read more

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is investigating a breach at business intelligence company Sisense. According to security researcher Brian Krebs, the breach involved attackers accessing a self-managed GitLab repository, leading to the exfiltration of customer data, including millions of access tokens and SSL certificates. This incident illustrates the mandatory need for encrypted data storage and vigilant protection of access credentials. Incident Recap CISA alerted of a breach at Sisense, advising customers to reset credentials and secrets. Attackers gained ..read more

There's been a lot of talk about SBOMs in tech media. This blog post will help answer three crucial questions you may be asking: What is an SBOM? Why do I need an SBOM? How do I get an SBOM? What's an SBOM? SBOM stands for "Software Bill of Materials." It works hand in hand with the concept of a Software Supply Chain where both terms come from manufacturing and supply chain management. It's essentially a structured list of the third party components that go into your software. There are a number of SBOM standards, but we'll focus on the CycloneDX standard here. CycloneDX grew out of the Ope ..read more

? Ready to find out which secrets management approach is right for you? Take the GitGuardian Secrets Management Needs Quiz right now at https://www.gitguardian.com/secrets-management-guide With numerous potential ways to store and use secrets for your organization's applications, it's crucial to find the best fit for your unique circumstances. While every application would ideally use a feature-rich enterprise secrets management platform, we understand that not every project can justify the enterprise price tag.  GitGuardian is here to help with our online interactive quiz, designed to ..read more

Did you know Halifax, the capital of Nova Scotia, is considered to be "the economic center of Atlantic Canada" and is home to many impressive firsts? Halifax established the first public school and the first law school in Canada. It was also the first place in North America to turn on all-electric city lights. This spirit of innovation continues to shine through today, as the city is home to the largest cybersecurity conference on the Canadian Atlantic coast, the Atlantic Security Conference, this year better known as ATLSECCON 2024!  This Atlantic time zone-based event drew together ov ..read more

It's time for our monthly humorous look at security. Celebrating the release of our State of Secrets Sprawl 2024 report, it's what we found while scanning GitHub. Things we found while scanning GitHub ..read more

The landscape of appsec is more competitive than ever, but rushing to stay ahead isn't always the best strategy. In the grand scheme, nothing beats keen attention to detail and sturdy product development pillars. As the CEO of GitGuardian, a leading code security company, I'd like to share insights into our approach to cybersecurity. I hope this perspective will prove beneficial to security leadership and any other leaders straddling both the business and the technical aspects of their organizations. Depth Over Breadth: A Keystone Strategy Successful software development is not about releasin ..read more