CSC News Table of Contents
GitHub Expands Secret Scanning to AWS, Microsoft, Google, and Slack: GitHub, a Microsoft subsidiary, has unveiled an enhancement to its secret scanning feature.
This update broadens the coverage of validity checks to encompass popular services like Amazon Web Services (AWS), Microsoft, Google, and Slack. These validity checks help users determine if exposed tokens discovered during secret scanning are active, enabling more effective remediation.
Initially introduced for GitHub tokens, this enhancement is part of GitHub’s commitment to improving security.
Key Takeaways to GitHub Expands Secret Scanning to AWS, Microsoft, Google, and Slack:
- Expanded Secret Scanning: GitHub’s secret scanning feature now includes AWS, Microsoft, Google, and Slack, providing users with a more comprehensive security solution.
- Validity Checks: Validity checks assist users in identifying actively exposed tokens, allowing for swift remediation of potential security risks.
- Future Token Support: GitHub intends to further extend its support for various tokens, demonstrating its ongoing dedication to enhancing security measures.
GitHub Enhances Secret Scanning
GitHub, a leading cloud-based code hosting and version control service, has bolstered its secret scanning feature. This enhancement goes beyond GitHub tokens, now including popular services such as AWS, Microsoft, Google, and Slack in its security coverage.
Activating Validity Checks
The introduction of validity checks earlier this year has proven to be a valuable security measure. Validity checks notify users about the status of exposed tokens identified during secret scanning, indicating whether they are active or not.
This information is crucial for taking effective remediation actions.
Enabling Validity Checks
To activate this feature, enterprise or organization owners and repository administrators can navigate to Settings > Code security and analysis > Secret scanning.
Here, they can select the option “Automatically verify if a secret is valid by sending it to the relevant partner.”
GitHub’s Ongoing Security Commitment
Earlier this year, GitHub extended secret scanning alerts to cover all public repositories, reinforcing its commitment to security.
Additionally, push protection was introduced, allowing developers and maintainers to proactively safeguard their code by scanning for highly identifiable secrets before pushing changes.
AWS Enhances Account Protection
In parallel with GitHub’s security efforts, Amazon has announced enhanced account protection requirements. These requirements will mandate privileged users (root users) of AWS Organization accounts to enable multi-factor authentication (MFA) starting in mid-2024.
According to Steve Schmidt, Chief Security Officer at Amazon, MFA significantly enhances account security, adding an extra layer of protection against unauthorized access.
Common Network Misconfigurations
The joint advisory from the U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) identifies weak or misconfigured MFA methods as one of the top 10 common network misconfigurations.
These misconfigurations include:
- Default configurations of software and applications
- Improper separation of user/administrator privilege
- Insufficient internal network monitoring
- Lack of network segmentation
- Poor patch management
- Bypass of system access controls
- Insufficient access control lists (ACLs) on network shares and services
- Poor credential hygiene
- Unrestricted code execution
Mitigations and Recommendations
To address these misconfigurations, organizations are encouraged to:
- Eliminate default credentials and harden configurations
- Disable unused services and implement access controls
- Prioritize patching and conduct regular audits of administrative accounts and privileges
Software vendors are also urged to adopt secure-by-design principles, utilize memory-safe programming languages, eliminate default passwords, provide audit logs to customers at no extra cost, and mandate phishing-resistant MFA methods.
The prevalence of these misconfigurations underscores the need for organizations to fortify their cybersecurity measures and for software manufacturers to proactively contribute to reducing security vulnerabilities.
About GitHub: GitHub, a subsidiary of Microsoft, is a cloud-based platform for software development and version control. It plays a crucial role in supporting collaborative coding efforts and enhancing security in the software development process.
