#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

CI/CD Pipeline | Breaking Cybersecurity News | The Hacker News

Category — CI/CD Pipeline
Cybersecurity Blind Spots in IaC and PaC Tools Expose Cloud Platforms to New Attacks

Cybersecurity Blind Spots in IaC and PaC Tools Expose Cloud Platforms to New Attacks

Nov 25, 2024 Cloud Security / Supply Chain Attack
Cybersecurity researchers have disclosed two new attack techniques against infrastructure-as-code (IaC) and policy-as-code (PaC) tools like HashiCorp's Terraform and Styra's Open Policy Agent (OPA) that leverage dedicated, domain-specific languages (DSLs) to breach cloud platforms and exfiltrate data. "Since these are hardened languages with limited capabilities, they're supposed to be more secure than standard programming languages – and indeed they are," Tenable senior security researcher Shelly Raban said in a technical report published last week. "However, more secure does not mean bulletproof." OPA is a popular, open-source policy engine that allows organizations to enforce policies across cloud-native environments, such as microservices, CI/CD pipelines, and Kubernetes. Policies are defined using a native query language called Rego which are then evaluated by OPA to return a decision. The attack method devised by Tenable targets the supply ...
Urgent: GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Job Execution

Urgent: GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Job Execution

Sep 12, 2024 DevSecOps / Vulnerability
GitLab on Wednesday released security updates to address 17 security vulnerabilities, including a critical flaw that allows an attacker to run pipeline jobs as an arbitrary user. The issue, tracked as CVE-2024-6678, carries a CVSS score of 9.9 out of a maximum of 10.0 "An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances," the company said in an alert. The vulnerability, along with three high-severity, 11 medium-severity, and two low-severity bugs, have been addressed in versions 17.3.2, 17.2.5, 17.1.7 for GitLab Community Edition (CE) and Enterprise Edition (EE). It's worth noting that CVE-2024-6678 is the fourth such flaw that GitLab has patched over the past year after CVE-2023-5009 (CVSS score: 9.6), CVE-2024-5655 (CVSS score: 9.6), and CVE-2024...
The Future of Serverless Security in 2025: From Logs to Runtime Protection

The Future of Serverless Security in 2025: From Logs to Runtime Protection

Nov 28, 2024Cloud Security / Threat Detection
Serverless environments, leveraging services such as AWS Lambda, offer incredible benefits in terms of scalability, efficiency, and reduced operational overhead. However, securing these environments is extremely challenging. The core of current serverless security practices often revolves around two key components: log monitoring and static analysis of code or system configuration. But here is the issue with that: 1. Logs Only Tell Part of the Story Logs can track external-facing activities, but they don't provide visibility into the internal execution of functions. For example, if an attacker injects malicious code into a serverless function that doesn't interact with external resources (e.g., external APIs or databases), traditional log-based tools will not detect this intrusion. The attacker may execute unauthorized processes, manipulate files, or escalate privileges—all without triggering log events. 2. Static Misconfiguration Detection is Incomplete Static tools that check ...
Behind the Scenes: The Art of Safeguarding Non-Human Identities

Behind the Scenes: The Art of Safeguarding Non-Human Identities

Mar 28, 2024 Secrets Management / Zero Trust
In the whirlwind of modern software development, teams race against time, constantly pushing the boundaries of innovation and efficiency. This relentless pace is fueled by an evolving tech landscape, where SaaS domination, the proliferation of microservices, and the ubiquity of CI/CD pipelines are not just trends but the new norm. Amidst this backdrop, a critical aspect subtly weaves into the narrative — the handling of non-human identities. The need to manage API keys, passwords, and other sensitive data becomes more than a checklist item yet is often overshadowed by the sprint toward quicker releases and cutting-edge features. The challenge is clear: How do software teams maintain the sanctity of secrets without slowing down their stride? Challenges in the development stage of non-human identities The pressure to deliver rapidly in organizations today can lead developers to take shortcuts, compromising security. Secrets are the credentials used for non-human identities. Some stan...
cyber security

Creating, Managing and Securing Non-Human Identities

websitePermisoCybersecurity / Identity Security
A new class of identities has emerged alongside traditional human users: non-human identities (NHIs). Permiso Security's new eBook details everything you need to know about managing and securing non-human identities, and strategies to unify identity security without compromising agility.
Expert Insights / Articles Videos
Cybersecurity Resources