#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cloud Security

GitGuardian | Breaking Cybersecurity News | The Hacker News

Python's PyPI Reveals Its Secrets

Python's PyPI Reveals Its Secrets

Apr 11, 2024 Software Security / Programming
GitGuardian is famous for its annual  State of Secrets Sprawl  report. In their 2023 report, they found over 10 million exposed passwords, API keys, and other credentials exposed in public GitHub commits. The takeaways in their 2024 report did not just highlight 12.8 million  new  exposed secrets in GitHub, but a number in the popular Python package repository  PyPI . PyPI, short for the Python Package Index, hosts over 20 terabytes of files that are freely available for use in Python projects. If you've ever typed pip install [name of package], it likely pulled that package from PyPI. A lot of people use it too. Whether it's GitHub, PyPI, or others, the report states, "open-source packages make up an estimated 90% of the code run in production today. "  It's easy to see why that is when these packages help developers avoid the reinvention of millions of wheels every day. In the 2024 report, GitGuardian reported finding over 11,000 exposed  unique  secrets, wit
Three Tips to Protect Your Secrets from AI Accidents

Three Tips to Protect Your Secrets from AI Accidents

Feb 26, 2024 Data Privacy / Machine Learning
Last year, the Open Worldwide Application Security Project (OWASP) published multiple versions of the " OWASP Top 10 For Large Language Models ," reaching a 1.0 document in August and a 1.1 document in October. These documents not only demonstrate the rapidly evolving nature of Large Language Models, but the evolving ways in which they can be attacked and defended. We're going to talk in this article about four items in that top 10 that are most able to contribute to the accidental disclosure of secrets such as passwords, API keys, and more. We're already aware that LLMs can reveal secrets because it's happened. In early 2023, GitGuardian reported it found over 10 million secrets in public Github commits. Github's Copilot AI coding tool was trained on public commits, and in September of 2023, researchers at the University of Hong Kong published a paper on how they created an algorithm that generated 900 prompts designed to get Copilot to reveal secrets from
Hands-on Review: Cynomi AI-powered vCISO Platform

Hands-on Review: Cynomi AI-powered vCISO Platform

Apr 10, 2024vCISO / Risk Assessment
The need for vCISO services is growing. SMBs and SMEs are dealing with more third-party risks, tightening regulatory demands and stringent cyber insurance requirements than ever before. However, they often lack the resources and expertise to hire an in-house security executive team. By outsourcing security and compliance leadership to a vCISO, these organizations can more easily obtain cybersecurity expertise specialized for their industry and strengthen their cybersecurity posture. MSPs and MSSPs looking to meet this growing vCISO demand are often faced with the same challenge. The demand for cybersecurity talent far exceeds the supply. This has led to a competitive market where the costs of hiring and retaining skilled professionals can be prohibitive for MSSPs/MSPs as well. The need to maintain expertise of both security and compliance further exacerbates this challenge. Cynomi, the first AI-driven vCISO platform , can help. Cynomi enables you - MSPs, MSSPs and consulting firms
Tell Me Your Secrets Without Telling Me Your Secrets

Tell Me Your Secrets Without Telling Me Your Secrets

Nov 24, 2023 Developer Tools / API Security
The title of this article probably sounds like the caption to a meme. Instead, this is an actual problem GitGuardian's engineers had to solve in implementing the mechanisms for their new  HasMySecretLeaked service . They wanted to help developers find out if their secrets (passwords, API keys, private keys, cryptographic certificates, etc.) had found their way into public GitHub repositories. How could they comb a vast library of secrets found in publicly available GitHub repositories and their histories and compare them to your secrets without you having to expose sensitive information? This article will tell you how. First, if we were to set a bit's mass as equal to that of one electron, a ton of data would be around 121.9 quadrillion petabytes of data at standard Earth gravity or $39.2 billion billion billion US dollars in MacBook Pro storage upgrades (more than all the money in the world). So when this article claims GitGuardian scanned a "ton" of GitHub public commit data, t
cyber security

WATCH: The SaaS Security Challenge in 90 Seconds

websiteAdaptive ShieldSaaS Security / Cyber Threat
Discover how you can overcome the SaaS security challenge by securing your entire SaaS stack with SSPM.
Over Half of Security Leaders Lack Confidence in Protecting App Secrets, Study Reveals

Over Half of Security Leaders Lack Confidence in Protecting App Secrets, Study Reveals

Jun 13, 2023 AppSec / Secrets Management
It might come as a surprise, but secrets management has become the elephant in the AppSec room. While security vulnerabilities like Common Vulnerabilities and Exposures (CVEs) often make headlines in the cybersecurity world, secrets management remains an overlooked issue that can have immediate and impactful consequences for corporate safety.  A recent study by GitGuardian found that 75% of IT decision-makers in the US and the UK reported at least one secret leaked from an application, with 60% causing issues for the company or employees. Shockingly, less than half of respondents (48%) were confident in their ability to protect application secrets "to a great extent." The study, named  Voice of Practitioners: The State of Secrets in AppSec  (available for free download  here ), provides a fresh perspective on managing secrets, which is often reduced to clich├ęs that do not reflect the operational reality in engineering departments.  Despite their ubiquity in modern cloud a
The Rising Threat of Secrets Sprawl and the Need for Action

The Rising Threat of Secrets Sprawl and the Need for Action

May 23, 2023 Application Security
The most precious asset in today's information age is the secret safeguarded under lock and key. Regrettably, maintaining secrets has become increasingly challenging, as highlighted by the  2023 State of Secrets Sprawl  report, the largest analysis of public GitHub activity.  The report shows a  67% year-over-year increase  in the number of secrets found, with 10 million hard-coded secrets detected in 2022 alone. This alarming surge in secrets sprawl highlights  the need for action  and underscores the importance of secure software development. Secrets sprawl refers to secrets appearing in plaintext in various sources, such as source code, build scripts, infrastructure as code, logs, etc. While secrets like API tokens and private keys securely connect the components of the modern software supply chain, their widespread distribution among developers, machines, applications, and infrastructure systems heightens the likelihood of leaks. Cybersecurity Incidents Highlight the Danger
Are Source Code Leaks the New Threat Software vendors Should Care About?

Are Source Code Leaks the New Threat Software vendors Should Care About?

Apr 07, 2023 DevOps / Software
Less than a month ago, Twitter indirectly acknowledged that some of its source code had been leaked on the code-sharing platform GitHub by sending a copyright infringement notice to take down the incriminated repository. The latter is now inaccessible, but according to the media, it was accessible to the public for several months. A user going by the name FreeSpeechEnthousiast committed thousands of documents belonging to the social media platform over several months.  While there is no concrete evidence to support this hypothesis, the timing of the leak and the ironic username used by the perpetrator suggest that the leak was a deliberate act aimed at causing harm to the company. Although it is still too early to measure the impact of this leak on the health of Twitter, this incident should be an opportunity for all software vendors to ask a simple question:  what if this happened to us? Protecting sensitive information in the software industry is becoming increasingly critical as
The Secret Vulnerability Finance Execs are Missing

The Secret Vulnerability Finance Execs are Missing

Feb 23, 2023 Git Security / DevOps
The (Other) Risk in Finance A few years ago, a Washington-based real estate developer received a document link from First American – a financial services company in the real estate industry – relating to a deal he was working on. Everything about the document was perfectly fine and normal. The odd part, he  told  a reporter, was that if he changed a single digit in the URL, suddenly, he could see somebody else's document. Change it again, a different document. With no technical tools or expertise, the developer could retrieve FirstAm records dating back to 2003 – 885  million  in total, many containing the kinds of sensitive data disclosed in real estate dealings, like bank details, social security numbers, and of course, names and addresses. That nearly a billion records could leak from so simple a web vulnerability seemed shocking. Yet even more severe consequences befall financial services companies every week. Verizon, in its most recent  Data Breach Investigations Report ,
The Pivot: How MSPs Can Turn a Challenge Into a Once-in-a-Decade Opportunity

The Pivot: How MSPs Can Turn a Challenge Into a Once-in-a-Decade Opportunity

Feb 03, 2023 DevSecOps / Cybersecurity
Cybersecurity is quickly becoming one of the most significant growth drivers for Managed Service Providers (MSPs). That's the main insight from a  recent study  from Lumu: in North America, more than 80% of MSPs cite cybersecurity as a primary growth driver of their business. Service providers have a huge opportunity to expand their business and win new customers by developing their cybersecurity offerings. This hardly comes as a surprise since the demand for cybersecurity is in full swing among SMBs and larger enterprises. According to  Gartner , "by 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements." This means that the perception around security is transforming: from liability, it's becoming a powerful business driver. Of course, cybersecurity continues to evolve at a very rapid pace, with threats emerging every day and the stakes getting higher. This alone can fuel the
You Don't Know Where Your Secrets Are

You Don't Know Where Your Secrets Are

Jan 31, 2023 Secret Management / DevSecOps
Do you know where your secrets are? If not, I can tell you: you are not alone. Hundreds of CISOs, CSOs, and security leaders, whether from small or large companies, don't know either. No matter the organization's size, the certifications, tools, people, and processes: secrets are not visible in 99% of cases. It might sound ridiculous at first: keeping secrets is an obvious first thought when thinking about security in the development lifecycle. Whether in the cloud or on-premise, you know that your secrets are safely stored behind hard gates that few people can access. It is not just a matter of common sense since it's also an essential compliance requirement for security audits and certifications. Developers working in your organization are well-aware that secrets should be handled with special care. They have put in place specific tools and procedures to correctly create, communicate, and rotate human or machine credentials. Still, do you know where your secrets are?
The Truth About False Positives in Security

The Truth About False Positives in Security

Aug 09, 2022
TL;DR: As weird as it might sound, seeing a few false positives reported by a security scanner is probably a good sign and certainly better than seeing none. Let's explain why. Introduction False positives have made a somewhat unexpected appearance in our lives in recent years. I am, of course, referring to the COVID-19 pandemic, which required massive testing campaigns in order to control the spread of the virus. For the record, a false positive is a result that appears positive (for COVID-19 in our case), where it is actually negative (the person is not infected). More commonly, we speak of false alarms. In computer security, we are also often confronted with false positives. Ask the security team behind any SIEM what their biggest operational challenge is, and chances are that false positives will be mentioned. A recent  report  estimates that as much as 20% of all the alerts received by security professionals are false positives, making it a big source of fatigue. Yet the
Cybersecurity Resources