You can't see The Golden Gate Bridge from downtown San Francisco, but if you stand at the right intersections, you can see The San Francisco-Oakland Bay Bridge. While not as famous as its ocean-facing sister, the Bay Bridge, as most people call it, carries almost twice the number of daily commuters back and forth between SF and the East Bay. It felt very appropriate that it was closer to this bridge that so many security practitioners got together to find common ground and discuss how to make a better and safer future together at BSides SF 2024. This year marked the largest BSides San Francis ..read more

Although PCI DSS 4.0 was released in March 2022, certain parts became either required or a suggested best practice in March 2024 and the rest will become required in March 2025. We looked for the parts where we could help current and future customers with their compliance efforts. While most of the changes around passwords have to do with complexity and rotation, one stood out: requirement 8.6.2, which has to do with hard-coded passwords in software.  GitGuardian's flagship secrets detection service embodies 8.6.2 8.6.2 Passwords/passphrases for any application and system accounts that c ..read more

At GitGuardian, as cybersecurity experts, we understand there are a variety of reasons our customers might not want a cloud-based solution, but still want the services we have to offer. The issue for them is that the bulk of our products analyze source code, meaning our cloud-based offering requires passing their data through our servers via the internet. For some of these customers, having that data leave their premises is not an option. It may be any combination of the following leading to this decision: Highly cautious internal security policies. Contractual confidentiality requirements b ..read more

In this blog series, we look at a new CVE each month and discuss its impact, discovery, and remediation. This month we are diving into the JetBrains TeamCity vulnerabilities which will allow hackers to take control over CI/CD servers by bypassing authentication. We will discuss the technical details of the vulnerability and then dive into some discussion around the controversy of this disclosure (we will spill the CVE tea!) CVE # Description  Base Score EPSS Score Dates  (for both) CVE-2024-27198 Authentication bypass vulnerability in the web component of TeamCity ..read more

Running SCA (Software Composition Analysis) on your software is an essential step in preparing the documentation you'll need for your software to meet the requirements of the USA's "Executive Order on Improving the Nation’s Cybersecurity" (EO 14028). What is Executive Order 14028? In 2020, Solar Winds revealed that it had been the victim of a hack that added malware to official updates to its Orion network monitoring software, distributing that malware to tens of thousands of systems. Victims included the Departments of Homeland Security, State, Commerce, and the Treasury. In response to this ..read more

Chicago might best be known internationally for its iconic skyscrapers and a certain movie about two brothers who played the blues. It is also home to a lot of technical firsts and advancements; the zipper, the dishwasher, and the Ferris wheel all premiered in Chicago. That spirit of innovation lives on today as the city hosted a conference to advance the state of the art for building web applications, PHP[TEK] 2024. PHP[TEK] is the longest-running PHP-focused conference in the US. This year, around 400 participants came from all over the world to talk about open source, frameworks, and how w ..read more

In our latest State of Secrets Sprawl, we shed light on some interesting findings about secrets accidentally published to public repositories over the past year. While the sheer number of secrets we discovered on GitHub was certainly noteworthy, what really caught our attention this year was what happened after we identified the exposed secrets. In this blog, we are going to explore the concept of zombie leaks and why they deserve more attention. What's a Zombie Leak? We coined this term after a startling (yet somewhat unsurprising) observation: repository owners often react to a sensitive le ..read more

Tiexin Guo Senior DevOps Consultant, Amazon Web Services Author | 4th Coffee On March 29, which seemed to be another normal Friday, a Microsoft developer shocked the world by revealing an XZ Utils (data-compression utilities) backdoor. This backdoor could potentially enable unauthorized access via SSH and remote code execution (read the full story here). But wait a minute, because how on earth does compression have anything to do with SSH access? Short answer: dependencies. Part of the XZ Utils is a compression library liblzma, which isn't used directly by OpenSSH, but Debia ..read more

Directly East of Orlando, Florida, sits the Kennedy Space Center. Home to one of the largest buildings on earth, covering 8 acres, it is best known as NASA's primary launch center of American spaceflight. The location is surrounded by the beautiful Merritt Island National Wildlife Refuge, home to many bird species, which makes it the perfect home for a museum and science center devoted to learning about our advances in flight and space travel. It was at the KCS Center for Space Education that cybersecurity professionals gathered to advance their skills and share knowledge at HackSpaceCon 2024 ..read more

C.J. May Information security professional and passionate programmer with broad interests encompassing many areas of IT. Twitter | GitHub This is the second blog post in a series that is taking a deep dive into DevSecOps program architecture. The goal of this series is to provide a holistic overview of DevSecOps as a collection of technology-driven, automated processes. If you didn’t read the first blog post, make sure to check that out too!  This entry will be less about the “decision-making” side of things, and more about the developer experience. We will learn how to equip our ..read more