Jacob DePriest’s Post

Is it just me or does it sound strange for GitHub to offer security fixes that their copilot served up in the first place? If they understand the security issues, shouldn't that be baked into the code Copilot offers up to begin with? I get that the Code Generator is tapping into a wide range of open source. But there are several tools on the market today from actual security companies that have more credibility. I guess it's not exactly the fox guarding the henhouse... https://lnkd.in/d3bBAY7y

Want to level up your security research game? GitHub has you covered! I just read this eye-opening article from the GitHub Security Lab, and it's a game-changer for anyone interested in discovering, verifying, and disclosing vulnerabilities in open source software. The key takeaways: • GitHub's integrated tools like code scanning, CodeQL, Codespaces, and private vulnerability reporting streamline the entire research process • Finding interesting targets involves factors like programming language, app type, and project exposure • The OpenSSF Criticality Score helps prioritize high-profile projects • CodeQL automates security checks with semantic and dataflow analysis • Codespaces provides a safe, efficient environment for exploitation and debugging • Private Vulnerability Reporting simplifies collaboration between researchers and maintainers The article walks through a real-life case study of auditing the Frigate project for a deserialization vulnerability. It's a fascinating read! If you're into security research or want to contribute to securing the open source ecosystem, this is a must-read: "Security research without ever leaving GitHub: From code scanning to CVE via Codespaces and private vulnerability reporting" https://lnkd.in/g8CNpef8 Happy Thursday! Let me know your thoughts. Casey Jones #SecurityResearch #OpenSource #GitHub #CodeQL #Cybersecurity

Learn how to use OpenPubkey to bind public keys to workload identities using GitHub Actions and Docker. And find out how Docker is using OpenPubkey with GitHub Actions to sign #Docker Official Images and improve supply chain security. https://lnkd.in/gJVRKZjp

It's SecTalks meetup time again! Topic of the month: eBPF & security! Linux is in everyone’s life; personal and/or professional, probably you are already using it, and if not, you are but you don’t know it yet! eBPF? Runtime / language to work directly with the kernel in Linux (flexible and efficient virtual machine-like construct) - used in a number of kernel subsystems (e.g. networking, tracing and security (e.g. sandboxing)!). More efficient, more secure! We’ll use Cilium as an example for an eBPF based implementation, talk about security and how you can do security better, and easier. Bringing back some wisdom from the Config Management camp earlier this month (yes, after FOSDEM and before Hackerhotel - February was a busy month ^_^), we’ll use the eBPF / Cilium to engage in yet another month of interesting security conversations, in another DevOps+Security topic (devsecops, secdeops, + other flavors…). Can’t make it this month? See you next month --> March topic: Incident Response! We’ll deep dive on the how’s and the why’s and we’ll look at some (major) real world incidents, and how for us all to get better at IR! All directly from the eyes and experience of the well respected Microsoft’s DART team! Big thanks to Boi Sletterink for last month’s Cryptography wisdom in our January session - it was a bit longer than usual session, but we all left wiser and (much) more interested in cryptography! Apart from the amazing session, bottom line still remains: “don’t roll your own crypto kids….” See you there? As always, it's on the last Thursday of the month(29/02) at 18:30 (doors open at 17:30), in Rotterdam (right next to Central station)! As per usual it’s an open conversation session so anyone can join, share thoughts, ask questions and we all learn together and from each other. Are you joining? See you at the CIC (Cambridge Innovation Center); doors open at 17:30 - drinks (and snacks!) provided🍻 ☕️ 🍵 - so feel free to join earlier, or stay later, and get some conversations going! More details —> https://lnkd.in/exNwupPA Thanks to everyone for joining, supporting & contributing to the SecTalks sessions in previous iterations! See you all there! Can’t make it this month? Please join the community, share to spread the word to the security community and beyond, and see you next time! #infosec #meetup #security #linuxsecurity #community #sandbox #eBPF #networking #cilium #opensourcesoftware #opensource eBPF Summit Cilium

Continuous code scanning and enabling Advanced Security in GitHub are crucial for keeping your GitHub repositories secure and unexposed. What a nightmare for Mercedes-Benz! #devsecops #vulnerabilitymanagement #databreaches #codesecurity #governance

GitHub has launched Copilot Autofix, an #AI-driven service designed to remediate software vulnerabilities, as part of its GitHub Advanced Security (GHAS) offering. Officially introduced on August 14, Copilot Autofix analyzes code vulnerabilities, explains their significance, and provides suggestions for remediation, enabling developers to address issues swiftly. This feature is included by default for GHAS customers using GitHub Enterprise Cloud. Starting in September, it will also be available for free in pull requests for open-source projects. During its public beta, developers utilizing Copilot Autofix resolved vulnerabilities over three times faster than those who fixed them manually. The tool supports various vulnerability types, including SQL injection and cross-site scripting, allowing developers to easily dismiss, edit, or commit fixes in their pull requests, showcasing the potential of AI to enhance software development efficiency and security. Adil Hihi Guillaume Renaud Jeanne Heuré Matthieu FRONTON

🔒GitHub Actions artifacts found leaking auth tokens in popular projects🔒 https://lnkd.in/g2WTCt5a #GitHubActions #Security #CyberSecurity #InfoSec #DataLeak #AuthTokens #DevOps #SoftwareDevelopment #TechNews #Vulnerability

Security vulnerability scanners (brief note): Security vulnerability scanners can check packges, build artifact (shared library, docker images etc.) and report vulnerabilities. The report provides the severity (critical, high, medium, low) levels of the vulnerabilities too. Some of the reports provide link to additional information and suggestions regarding fixes. At a very high level there are two main categories of scanners - static scanners versus dynamic/runtime scanners. Static scanners checks pacage, build artifact etc. without the system running. Hence the name "static". Where as the dynamic scanner tries to attack the system that is running. We can add static scanners in the CI/CD pipeline. As for example GitHub Actions made it very easy to add static scanners like Trivy. You can get more information here - https://lnkd.in/gFrKSC5C Here is GitHub Actions example for Snyk scanner: https://lnkd.in/grpvjeUD GitHub has Dependabot for static vulnerability scanning and alerting. It is easy to configure as well. Here is more information: https://lnkd.in/gQ6aZaYj For dynamic/runtime scanning we can use ZAP OWASP scanner. Here are links to more information: https://lnkd.in/gVU62Q9W and https://lnkd.in/g9kJbUPV Now if the url of the site is not reachable from GitHub/not exposed to the outside world yet then there is a way to setup self hosted runner on your cloud hosting where the app components are runnng. In that case the dynamic security scanner can reach out to the running application relatively easily (* for a Zero trust system there is more setup to do) Hope it is useful for some of you. Please feel free to reach out to me if you have questions/need more information. #security #CI/CD #staticscanner #dynamicscanner #runtimescanner #GitHubActions #SAST #StaticApplicationSecurityTesting #DAST #DynamicApplicationSecurityTesting

As a security enthusiast, I'm fascinated by articles like these. It seems you can access all commits from all forks, even if the fork is already deleted, just by knowing (or guessing) the SHA1 hash of the commit. But seriously who is going to guess the full SHA1 of a deleted commit? no worries, you just have to guess the last 4 (!!!) characters, because GitHub wants to make it easy so you can also use the last (at least 4) characters of the commit hash to reference code. GitHub' response: "This is by design, and is working as intended" #security #mvpbuzz

Do you have a solution in place that’s continuously scans your repose for malicious codes? Come talk to me about a solution!