Tag security

 Bookmark

Bookmarked Secrets Exposed: How to mitigate risk from secrets leaks — and prevent future breaches by Paul Roberts 
Post details
Software secrets are targeted by malicious actors. Here are three key steps to mitigate risk — and best practices you can take to prevent future breaches.

Yep! I have a list of common patterns I look for in logs and source code, but you really need to have developer education as well as tooling and processes

 Like

Liked Getting to know the Open Source Vulnerability (OSV) format - Open Source Security Foundation by Jennifer Bly 
Post details
To keep the modern technological world of open source software safe, it is critical to efficiently and accurately communicate information about open source vulnerabilities. The OSV Schema, created through the collaboration between OpenSSF members and housed within the Vulnerability Disclosures Working Group, provides a minimal, easy-to-use first class JSON format for describing vulnerabilities in open source software.

 Like

Liked Mark (@computerist@mastodon.social)
Post details
OK, let's debate a definition. Today, let's talk about "vulnerability" in software. Your product, (let's call it A) uses a library (which we'll call X). X has a load of features. Among those is some function, "someFunc" which has a bug. It's supposed to be safe to call with untrusted data... but some clever researchers have found that they can craft input that results in remote code execution (RCE). X has a vulnerability. Does A?

 Like

Liked Terence Eden (@Edent@mastodon.social)
Post details
A question for #infosec practitioners. I've found an abandoned AWS bucket from a very large company. It serves all the images & fonts in their billing emails. I defensively registered it to prevent an attacker from injecting malicious content into the emails I receive. Then I emailed their security.txt contact to inform them and offering to transfer it back (for free, obviously). Was that the right thing to do? Should I have waited for a response from them before securing the bucket?

 Like

Liked Introducing Wolfi – the first Linux (Un)distro designed for securing the software supply chain
Post details
The massive push for software supply-chain integrity and transparency has left organizations struggling to secure their pipelines and manage vulnerabilities. Existing tooling doesn’t support supply chain security natively and requires users to bolt on critical features like signatures, provenance, and software bills of material (SBOM). Everything you need to know about securing the software supply chain.

 Like

Liked Infosys leaked FullAdminAccess AWS keys on PyPi for over a year by Tom Forbes 
Post details
Infosys has a lot to say about security You can check out their website for a lot of buzwords , but it’s clear from all the stock photos that they take security Very Seriously Indeed ™️. However, from what I’ve found recently, it seems that Infosys use the following Comprehensive Management-Endorsed Proficiently Driven Cybersecurity Strategy and Framework items: Don’t use AWS roles or temporary credentials for your developers Instead, use IAM user keys and give them all FullAdminAccess permissions Never rotate these keys and store them as plaintext in git Use these keys to protect what appears to be medical data about COVID patients Have someone publish those keys and the code in a public package to pypi Keep those keys active for days after leakage Make nonsensical pull requests to try and remove all references to the leak The Leak This morning I woke up to a very strange pull request on my pypi-data project.