Resources

Innovation Insight: Improve Security With Machine Identity and Access Management today

Discover best practices for managing non-human identities (NHIs) and their secrets across your organization.

The 2025 State of Secrets Sprawl report measures the exposure of and remediation of leaked secrets within GitHub and how it is evolving year to year.

Organizations spend 32.4% of security budgets on code security, yet only 44% of developers follow secrets management best practices. Get the full insights in our 2024 report.

In this episode of The Security Repo Podcast, we look at how we satisfy the goals of compliance and security, which might seem like they would be the same thing, yet are not.

In this episode of The Security Repo Podcast, we broach a wide variety of topics, ranging from The Theory of Constraints, source control horror stories, and using scorecards to drive cross-team success.

Fragmented IAM data across systems creates security gaps, and unmanaged credentials like API keys and OAuth tokens pose hidden risks. Read this report by Gartner to see how to cope with this.

In this episode of The Security Repo Podcast, we take a look at how to do secret rotation reliably in a highly available system.

In this episode of The Security Repo Podcast, let's talk about the largest IT threat outside of IT, and maybe out of the line of sight of Security teams, Shadow IT.

We have had so much fun making The Security Repo Podcast, and we hope you have learned as much as we have along the way. The tides of change have finally reached our shore, and we are sad to announce the departure of Mackenzie Jackson, our original founder, producer, and co-host of the podcast, from our regular episodes. We wish him much success in his new adventures.

In this episode of The Security Repo Podcast, we explore all things Data Loss Prevention (DLP).

We all want to have the best security posture possible, especially when it comes to our mission-critical applications. This is also true for any software we publish that is used in the software supply chain. Every security team dreams of fully implementing Zero Trust as the standard across the whole of the organization and having flawless defenses.

In this episode of The Security Repo Podcast, we look at security automation and how we can engineer our way to better security overall.

In this episode of The Security Repo Podcast, we take a look at the role developer training and awareness have in improving security.

In this episode of The Security Repo Podcast, we dive deep into how AI is helping the Red, Blue, and Purple teams and how we can leverage ChatGPT to stay ahead of attackers.

The current state of application security often leaves us reacting to data breaches and unauthorized disclosures well after they have occurred. How do we change this reactive reality?

In this episode of The Security Repo Podcast, we dive deep into a rather troubling phenomenon: scammers who target senior citizens.

In this episode of The Security Repo Podcast, we dive deep into a pervasive cybersecurity issue: open data buckets. Joined by Glen Helton, Director of Information Security at a major multinational and founder of the Sky Witness Project, we explore how improperly secured cloud storage—commonly known as "open buckets"—can expose sensitive data to the world.

In this episode of The Security Repo, we sit down with Jossef Harush Kadouri, a pioneer in software supply chain security and founder of Dustico, now part of Checkmarx.

This episode we are joined by Avi Douglen, Founder and CEO of Bounce Security. Avi, a key figure in the security community and former OWASP chapter chair. The discussion covers the significance of OWASP, its resources, threat modeling and Avi's personal journey within the organization.

Today we sit down with Bobby Kuzma, Director of Offensive Cyber Operations at Pro Circular and adjunct professor at the University of Washington. Bobby shares his unique journey into the world of penetration testing, including how he accidentally acquired his CISSP certification.

Join us for a comprehensive webinar on self-hosted solutions, featuring industry experts Romain Jouhannet from GitGuardian, Adrian Mouat from Chainguard and Chuck D'Antonio from Replicated.

Today we welcome J Wolfgang Goerlich, an advisory CISO, mentor, and strategist. We delve into the intricacies of security design frameworks and the importance of building and maintaining relationships in the cybersecurity field.

In this document, we will explore a holistic implementation guide for DevSecOps as a collection of technology-driven, automated processes.

Today we dive into the fascinating world of nuclear energy and cybersecurity with Andrew Elliot, a senior manager at KPMG's cybersecurity team. Andrew shares his journey from a nuclear engineer to a cybersecurity expert, providing unique insights into the importance of security culture, the resurgence of nuclear energy, and the critical role of cybersecurity in protecting critical infrastructure.

In this episode of The Security Repo, we dive deep into the world of threat modelling with Paul McCarty, a veteran in the field of DevSecOps and founder of SecureStack. Paul shares his journey from being a Unix admin to working with high-profile organizations like NASA and GitLab.

In this episode of The Security Repo, we dive into the fascinating world of cybersecurity with JR Johnson, a seasoned information security professional with over 14 years of experience. JR shares his journey from web development to penetration testing and cybersecurity consulting, highlighting the unique challenges faced by higher education institutions.

Join us in this episode of The Security Repo Podcast as we dive into the world of cybersecurity with Brendan Hohenadel . From his humble beginnings in desktop support to becoming a skilled red teamer, Brendan shares his inspiring journey and fascinating stories from the field.

In this episode of The Security Repo, we are thrilled to welcome Sonya Moisset, a Senior Advocate at Snyk and a renowned expert in DevSecOps, cybersecurity, and AI. With a wealth of experience as a public speaker, mentor, and top contributor to the tech community, Sonya shares her deep insights into the evolving landscape of AI in cybersecurity.

In this episode of The Security Repo, Dwyane McDaniel and Marc Boorshtein delve into the intricacies of Kubernetes dashboard security. Marc, the CTO of Tremolo Security, brings his extensive experience in identity and access management to the table, discussing the challenges and best practices for securing Kubernetes dashboards.

AI-assisted coding tools increase your delivery speed… and unfortunately security risks as well. In this session, Sonya Moisset, Staff Security Advocate of Snyk (and 4x GitHub Star & GitHub Security Ambassador) will dive into presenting an overview of AI in development and common AI security risks.

Join us this week as we host Eric Fourrier, co-founder and CEO of GitGuardian. Discover the journey of GitGuardian from a side project to a leading code security platform. Eric shares insights on the startup's growth, the integration of AI in security, and the future of protecting digital assets. Tune in for an engaging discussion on advancing code security in our digital world.

Today we dive into the challenges of securing modern IT infrastructures, focusing on "Secret Zero" and its implications for authentication practices. Our guest, Mattias Gees of Venify, discusses the SPIFFE framework and its role in transitioning from traditional security methods to dynamic workload identities. We explore practical strategies for implementing SPIFFE to enhance digital security across cloud environments.

This week, we dive deep into the world of Kubernetes with John Dietz, co-founder of Kubefirst and a seasoned IT professional with over two decades of experience. John shares his extensive insights into the transformative power of Kubernetes and infrastructure as code (IaC) in modern cloud environments.

In this episode, we dive deep into the world of authorization with Emre Baran, CEO and co-founder of Cerbos. As a seasoned entrepreneur and software expert, Emre brings over 20 years of experience to the table, discussing the subtle yet significant distinctions between authorization and authentication, and why these concepts are pivotal in today's cloud-based and development environments.

Open-source components forever changed how we build software, but they are also a prominent security threat, nothing illustrated this better than the recent XZ library incident where the world narrowly avoided a massive supply chain attack. Join Gene Gotimer and Mackenzie Jackson to discuss how we can keep our open-source supply chains secure as we discuss:

In this video, we explore AI package Hallucination. This threat is a result of AI generation tools hallucinating open-source packages or libraries that don't exist. In this video, we explore why this happens and show a demo of ChatGPT creating multiple packages that don't exist. We also explain why this is a prominent threat and how malicious hackers could harness this new vulnerability for evil. It is the next evolution of Typo Squatting.

In this episode of The Security Repo podcast, we dive deep into the evolving landscape of security within software development with our guest, Rachel Stephens, a senior analyst at RedMonk. Rachel sheds light on the broader implications of the "shift left" movement, emphasizing the integration of security practices throughout the entire software development lifecycle rather than viewing it as an isolated final step.

Join us for an impactful panel discussion on navigating the DevSecOps journey. Our expert panelists, Grace Law from Manulife, Eric Fourrier from GitGuardian, and Chaaban Barakat from Snyk will share insights on key drivers for DevSecOps adoption, criteria for solution selection, strategies for developer adoption, and measuring success. Gain actionable takeaways to enhance your organization's security posture while accelerating software delivery.

Join us for a discussion on secret management, especially those that end up in plaintext within code. Grace Law, Director of Application Security at Manulife, will share her experience in implementing an effective program to manage these secrets. We will explore GitGuardian's maturity model, which offers concrete actions to improve how your organization handles the issue.

In this video, we show exactly how to use AWS Secrets Manager and how to connect it with your Python application. Secrets are hard to manage and while using methods like storing them as environment variables in a .env file can be suitable, a more secure method particularly in a team is to use a secrets manager so developers can avoid ever needing to handle the plain text secret.

This week, join us as we sit down with Huxley Barbee, the lead organizer of B-Sides New York City and a security evangelist at RunZero. With over two decades of experience as a software engineer and security consultant, Huxley shares his profound insights and journey through the evolving landscape of cybersecurity.

The 2024 State of Secrets Sprawl report measures the exposure of and remediation of leaked secrets within GitHub and how it is evolving year to year.

In this video we provide a breakdown of the nation-state attack on Microsoft by Russian backed hacking group Midnight Blizzard ( also known as NOBELIUM) that happened between November 2023 and March 2024.

This episode of The Security Repo Podcast features an insightful discussion with Gregory Zagraba on the challenges and strategies of integrating security practices within the DevOps landscape. Covering the evolution of DevOps, the emergence of DevSecOps, and the importance of a culture shift in large organizations, the conversation delves into practical advice on automation, the significance of backups, and fostering a security-conscious mindset. Through real-world examples and expert insights, the episode sheds light on creating robust, secure systems in the fast-paced world of software development and data protection.

Explore the industry-first solution designed to empower security and development teams in securing secrets across multi-cloud, DevOps, and containerized environments. Discover innovative use cases, from detecting public GitHub leaks to enforcing secret management policies. Don't miss this opportunity to delve into the future of secrets security with our very own Mackenzie Jackson from GitGuardian and special guests Evan Litwak and David Hisel from CyberArk. Save your spot now for an engaging conversation redefining your approach to secret protection in software development.

In this episode of the Security Repo podcast, we take a dive into the intriguing world of hacking the hackers with Vangelis Stykas. Stykas, a notable figure in cybersecurity, shares his experiences and methodologies for compromising C2 servers—central nodes used by hackers to control malware. 20:40 State of C2 Security now 21:37 Criminals and Bug Bounties 23:32 Sponsors Segment 24:19 Is this legal? 28:27 Atropos - Pentesting plus API security 28:50 Whats Next 31:09 Best advice and Worst Advice for Security 33:00 Wrap Up

In this episode, we delve into the mind of Erik Cabetas, a renowned figure in offensive security and Defcon CTF winner. Erik shares his unique journey from hacking to offensive security, detailing the critical turning points that shaped his career. Together with Mackenzie and Dwayne, Eric discusses the evolution of security practices, the importance of ethical hacking in today's digital world, and offers some advice for aspiring hackers. Join us to explore the fascinating intersection of technology, ethics, and security through Erik's expert lens.

In this episode of The Security Repo, Jayson E. Street delves into his unconventional journey into cybersecurity, emphasizing the essence of hacking as a manifestation of curiosity rather than mere technical skill. He shares anecdotes from his extensive experience in ethical hacking, including bank heists and corporate security breaches, to underscore the importance of creative problem-solving in security.

Abraham Aranguren is the CEO of 7A Security and in this video he emphasizes the critical role of manual penetration testing (pentesting) in cybersecurity, highlighting its superiority over automated security tools.

In this episode of "The Security Repo," hosts Dwayne McDaniel and Mackenzie Jackson delve into the intricate world of cybersecurity with Buck Bundhund, an expert from Centripetal Networks.

In this video, we drill down into the recent breach of Cloudflare systems including how attackers were able to use stolen credentials from the Okta attack to move laterally and hack the Cloudflare internal Atlassian server.

In this webinar, we will explore the importance of secure APIs, showing you how to assess potential risks and vulnerabilities across various API types.We will also cover best practices for testing your APIs before releasing them into production.

Our guest Ethan Heilman has a PhD in Computer Science and the current CTO of BastionZero where he is currently working on Open PubKey, a protocol for leveraging OpenID Providers (OPs) to bind identities to public keys.

This cheat sheet outlines the 10 essential considerations for selecting a secrets detection platform, designed to guide organizations through the intricacies of safeguarding sensitive information and non-human identities effectively.

Leveraging our rich experience in creating and deploying a secrets detection solution, our buyers’ guide offers valuable insights to guide you through this intricate landscape.

In this episode, James Berthoty shares insights into his project, Latio Tech, which provides a comprehensive list of cloud security tools and resources. This episode is perfect for anyone looking into purchasing new security tools or wanting to understand the purchasing process.

In this episode, Mackenzie and Dwayne dive into a discussion on API security with special guest Isabelle Mauny, co-founder and CTO of 42Crunch.

The video based on this article discusses a cybersecurity researcher's experience in uncovering a major security flaw in an AI-based hiring system called Chattr.ai, which provides services to numerous fast-food chains and hourly employers across the United States, including popular names like Applebees, Arbys, Chickfila, Dunkin, IHOP, KFC, Shoneys, Subway, Tacobell, Target, and Wendys.

In this episode of The Security Repo, Mackenzie Jackson sits down with Nipun Gupta, the Chief Operating Officer of Bearer, a leading security company at the forefront of innovation in the cybersecurity landscape. Join us as we delve deep into the world of Static Application Security Testing (SAST) and explore why traditional SAST tools are struggling to keep pace with the demands of modern development environments.

Since 2017 GitGuardian has been monitoring all public activity on GitHub. Now in a new product called Has My Secret Leaked you can check if your secrets on GitHub. In this video, Mackenzie runs through how to use both the web interface and CLI tool GGShield to check if your secrets have ever been exposed on GitHub, regardless of if they have since been deleted.

Join the code security revolution with GitGuardian. Visit our website or contact us today to unleash the full potential of your software supply chain security. GitGuardian: where security meets innovation, safeguarding your code and your future.

In this episode of "The Security Repo," your hosts Mackenzie Jackson and Dwayne McDaniel are joined by a distinguished guest, Dan Barahona, as they embark on an eye-opening exploration of API security.

In this episode of The Security Repo, your hosts Mackenzie Jackson and Dwyane McDaniel are joined by the brilliant Reanna Schultz, a seasoned expert in the field of cybersecurity. Together, they delve deep into the world of social engineering, exploring what it is, how to detect it, and crucially, how to arm your staff against its deceptive tactics.

In this eye-opening episode of The Security Repo, we welcome James Wickett, the CEO and co-founder of DryRun Security, a visionary in the realm of cybersecurity. James unveils a groundbreaking concept known as "Contextual Security," a game-changer that empowers developers with unprecedented security insights while they write code.

In this captivating episode of The Security Repo, we delve into the world of physical security with our esteemed guest, Brice Self. With over a decade of experience in the field, Brice brings a wealth of knowledge and real-world insights to the table.

HasMySecretLeaked will change the way you secure secrets. No scanning—just auditability for every secret across vaults, pipelines, and more, to pinpoint leaks and their origins. If you’re wondering if your secrets have slipped into the wild, far beyond your control, HasMySecretLeaked has the answers.

Embark on an exciting journey into the realm of ethical hacking with our webinar, "Crack the Code: A Beginner's Guide to Ethical Hacking." Join Sonya Moisset of Snyk as we unveil the mysteries of cybersecurity and provide you with the tools to protect your digital assets.

In this video we look at how to effectively use the dotenv npm package to securely use secrets like API keys by loading them into your project as environment variables. To do this we first place our secrets in a .env file and the dotenv project will load these in as env variables. You can find a copy of the code used in this video in my public GitHub repository - https://github.com/mackenziejj/node-env-example

In this episode, we sit down with Tom Forbes to discuss his 'side project gone wrong' and how he found live AWS credentials inside many Python packages hosted on PyPi. In this episode, Dwayne and Mackenzie dive into Toms's research to discover how the project started and what people can do to protect their secrets. Links: Tom Forbes Blog - https://tomforb.es/

Did you know that you can use ggshield to scan docker images for secrets?

Jeevan Singh sits down with Dwayne and Mackenzie on the security repo podcast to discuss what 3 things he looks for when he is hiring someone into the application security team.

Director of product security at Twilio Jeevan Singh discusses how self service threat modelling was introduced at Twilio to enable developers to take part in the security program.

We chat with Andrew Storms and Ian Zink about the difficulties when it comes to being able to manage on-prem enterprise software.

Software bill of materials or an SBOM has become a crucial part of security and understanding the composition of our software.

In this episode, I sit down with Simon Maple from Snyk to discuss just that. We explore the different applications of AI in security and where the future is going. It's an interesting discussion so you don't want to miss it!

Did you know that GitGuardian can add comments directly to your GitHub pull requests and even stop a PR from succeeding if it contains any hardcoded secrets?

Are you building your applications on Azure? Good news, it is now easier than ever to integrate GitGuardian with Azure repos.

We have an amazing guest, Jeevan Sinhg who is the director of product security at Twilio and he is here to talk about how to scale an application security program.

With data leaks from AI systems like ChatGPT becoming an increasing concern should organizations block them and will that work for security and data privacy.

One of the many advantages of the cloud revolution is that SaaS products are continuously updated, security issues are patched quickly, and it's something the consumers are less concerned about.

With the GitGuardian auto-resolution playbook, you can automate the remediation process, saving you a step any time a credential becomes invalid.

We are joined by Varun Sharma and Ashish Kurmi, founders of StepSecurity. StepSecurity is a pioneer in runtime security for CI/CD pipelines.

We sit down with Jeremiah Jeschke, the CEO at OfficeAutomata, to discuss the future of security in a world of ChatGPT and other AI systems.

GitGuardian already looks for over 390 different types of specific secrets - from Adobe and AWS keys to Zoom and Zendesk Tokens. That's on top of looking for over a dozen generic patterns like Bearer tokens and JSON web tokens.

In this episode with Walt Powell we discuss exactly how to overcome these challenges by understanding how to effectively communicate with the board by expressing security challenges into a language they will relate to.

GitGuardian makes it simple to understand the state of your leaked secrets with our automatic validity and presence checks.

Now with custom severity rules, you can automate how GitGuardian labels the criticality of each incident. Fine-tune the pre-built scoring definitions and add your own custom rules that help your team with your particular requirements.

GitGuardian is making it easier and safer than ever to gather feedback about secret leakage incidents.

When your private code becomes publicly visible, you want to know about it immediately. GitGuardian Honeytoken is a quick and easy way to add leakage detection to your repositories.

In this cheat sheet, we will walk you through the different stages of the software development lifecycle and highlight key security considerations and tools that can help you mitigate risks and protect your code.

In this episode, we sit down with Daniel Niefeld and Kenneth Nevers to talk about their journey into security, creating security conferences and building grass roots cyber communities.

Our cheat sheet makes it easy for anyone to master the use of GitGuardian Honeytoken quickly so you keep on top of code leaks and manage intrusion detection.

Anyone managing your GitGuardian workspace can set up IP tagging rules for honeytokens.

Billy Lynch from Chainguard explores the importance of application and code signing for a secure supply chain, drawing from his experience at Google and sharing the latest developments in this field.

Reducing vulnerabilities in your software means manual and automated secure code reviews. Download our handy cheat sheet to keep your review practice on track.

GitGuardian simplifies code security management for teams of any size. It offers role and permission assignment, workspace member roles, team creation, incident grouping, and fine-grained user permissions.

Tanya Janca shares with us what are some of the worst common practices in DevSecOps that she frequently sees and how to avoid them.

Mackenzie Jackson and Julie Tsai discuss managing reputational damage after a security incident in the Cyber Friday discussion. They provide tips on what to do and what not to do. Full discussion at CISO series.

In this episode, we sit down with Tnaya Janca and discuss her journey from being a developer for government agencies to becoming one of the most recognizable faces in application security and cyber security in general.

Wolfi OS is a community Linux distro designed for the cloud-native era. It relies on the environment to provide a kernel and allows for smaller, more granular containers. Learn how to use Wolfi as a base container image and build your own images using open-source tools.

Learn how to protect your software supply chains from constant attacks by using honeytokens. These decoy secrets can be placed in various parts of the DevOps pipeline to trap attackers and expose them. Join the session with speakers from GitGuardian to discover effective strategies against spearphishing and other threats.

Learn about secrets management and automating workflows to enhance security in DevOps. Covers storage, governance, orchestration, lifecycle management, and observability. Gain insights and best practices for SecretOps. Empower your team with tools and knowledge for streamlined secrets management and robust security. Speaker: Nic Manoogian, Senior Software Engineer at Doppler.

Without metrics, it's difficult to determine how long it took to fix critical vulnerabilities in the last quarter. Manual tracking is challenging, but automation can unlock the power of AppSec metrics for a measurable program.

Panel discussion with experts from Snyk, GitGuardian, Doppler, and Chainguard, moderated by Rachel Stephens from RedMonk. Imagine a world where software supply chain security challenges are solved, no vulnerabilities in open-source software, and effortless secrets management.

Recent high-profile software supply chain attacks like SolarWinds, CodeCov, and Kaseya have increased in volume, frequency, and sophistication. Maintainers must take steps to secure their projects and ensure the integrity of their CI/CD pipeline. Sonya Moisset, Senior Security Advocate at Snyk, will explain how to set up guardrails and harden OSS projects.

Mackenzie Jackson discusses secrets sprawl, the distribution of credentials in source code. The presentation covers finding and remediating this issue at scale.

Learn from Mackenzie Jackson, Developer Advocate at GitGuardian, about software supply chain attacks. Deploy honeytokens to track attackers and enhance supply chain defenses. Discover vulnerabilities missed by traditional security tools. Visit GitGuardian's product webpage, read the announcement post, or book a demo for more information.

GitGuardian helps cybersecurity teams work smarter and safer by preventing incidents with detected valid secrets from being accidentally resolved. It improves secrets management posture and offers a free platform for secrets detection and remediation.

With 100M developers and over 3.5B contributions, the world builds software on GitHub. Whether your organization uses it or not, your developers certainly do. Developers contribute to open-source, build side projects, engage in discussions, and give a helping hand to others. They also accidentally leak secrets. In fact, 1 in 10 active developers did in 2022. Find out who are your developers on GitHub and how many of your secrets are exposed with GitGuardian.

Developer secrets are not just any kind of credentials. They’re the glue that holds your software supply chain from code to cloud. Leaving hardcoded secrets in your code, Docker images, and Jira tickets gives attackers the freedom to move from one system to the next. Even worse, you may never know they were there or how they got in. Tame secrets sprawl and automate detection and remediation with GitGuardian.

Experts discuss the persistent challenge of secrets sprawl despite available tools and technology. Panelists include Mackenzie Jackson, James Governor, Andrei Predoiu, and Mike Carey.

In this episode, we sit down with Vedran Jukic, co-founder and CTO of Code Anywhere and Tomma Pulljak Senior Developer at Code Anywhere to talk about the future of development environments.

Experts discuss challenges faced by large organizations in creating effective secrets management programs to combat security issues like secrets sprawl. Panel includes Mackenzie Jackson from GitGuardian, James Governor from RedMonk, Andrei Predoiu from Bestseller, and Mike Carey from 1Password.

Learn about GitHooks, where they run, and how to use the pre-existing hooks in the standard git template.

Stay updated with event-driven notifications! Create custom webhooks to subscribe to various events from incidents, occurrences, or notes (14 types in total) and receive alerts in your preferred external tools.

GitGuardian automates incident remediation with playbooks. The auto-healing playbook shares incidents with developers and sends them a unique link via email.

GitGuardian Honeytoken is a tool that helps detect leaks and intrusions in projects. It allows users to create a Honeytoken from the dashboard, insert it into their project, and share the package with their team securely. Learn more at https://www.gitguardian.com/honeytoken.

Customize the remediation workflow in your GitGuardian workspace. Manage up to 20 steps, switch between default and custom workflows. Tailor it to your organization's context and policies.

Last month, 1 in 10 code authors exposed secrets on GitHub, leaking 10 million secrets. Now, 500+ CISOs and engineering leaders share how they handle hardcoded secrets and their priorities in AppSec and Dev tooling.

Jason Haddix, CISO of BuddoBot and former CISO/Head of Security at UbiSoft, emphasizes the importance of a comprehensive secrets management program and shares his 4-step plan for detection, prevention, response, and education.

CEO of Socket discusses the supply chain as the top risk for 2023 and ways to secure it in an interview for The Security Repo podcast. The episode focuses on insights from the 2023 RSA conference. Visit Socket's website for more information.

Gain valuable insights and discover strategic approaches that will empower you to shape your security strategy effectively.

Jason Haddix is a legendary penetration tester and hacker. In this clip he shares how he managed to hack into several different banks, the methodology they would use as well as some stories from real-life scenarios.

Learn how to automate tasks and check information using GitHooks. This video tutorial explains how to create local and global hooks that can call APIs, use grep, and other tools. Check out GgShield, pre-commit framework, and Git Hooks.com for more information.

Penetration testers Noah Tongate and Adriel Desautel explain the top 5 tips they would give to organizations who want to protect themselves against attackers.

Mackenzie Jackson from GitGuardian was part of a report that found 10 Million secrets stored across the entire Github space on the internet. In this interview we go into how secrets have evolved from just being username/password to API Tokens, AWS Access Keys and whole lot more.

Can ChatGPT be used by hackers? This is a question I asked two top-of-the-game hackers on The Security Repo. Noah Tongate and Adriel Desautel explain the risks of ChatGPT and other AI systems as it relates to hacking now and in the future.

Have you ever wanted to know how to hack a bank? If so this is the episode for you (disclaimer, please don't hack banks).

Hacker Adriel Desautel explains the effectiveness of honey pots in combating malicious threat actors. He conducts real-world penetration tests with his team at Netraguard to protect organizations of all sizes.

Intent-based access control is a new concept that enables you to programmatically declare how you want your applications to authenticate with each other, and let infrastructure fill in the blanks to make that possible. The CPO of Otterize, Uri Sarid explains exactly how this works.

In this special edition episode, we tracked down a few of the key thought leaders in cyber security around the RSA conference to ask them what they thought were the biggest security concerns for 2023 as well as some key recommendations for organizations to combat them. Their insights were fascinating.

Our latest report gathered answers from 507 IT and security decision-makers to study awareness about the risks posed by secrets sprawl and operational maturity in large enterprises.

OpenAi experienced a data breach due to a vulnerability in Redis, raising concerns about securing ChatGPT.

‘Otterize CPO and Particle Physicist Uri Sarid explains how ChatGPT will change the internet from how our applications connect and communicate all the way to how we market our products.

Most authentication on the internet is not done by humans, it is done by computers or Non-Human Entities, which may sound like a Si-Fi concept but is very real. The CPO of Otterize Otterize Uri Sarid explains exactly what is non-human authentication and why it is critical to modern software development.

In this episode we sit down with legendary pen tester Adriel Disatel and Noah Tongate to discuss how modern cyber criminals are operating to deploy modern ransomware attacks. The conversation is full of real life hacking stories and to the point information on how you can protect yourselves against modern threats.

What is the biggest security threat for 2023 and how can we combat it? This is the million dollar question security. GitGuardian developer advocate Mackenzie Jackson had the opportunity to ask Joseoh Carson from Delinea what he expected to come from 2023.

Join GitGuardian CEO Eric Fourrier to learn how Honeytoken has got you covered. You can deploy our honeytokens at scale, monitor them for unauthorized use, and detect intrusions in your supply chain before they can cause any damage to your assets.

In this episode of the Security Repo we dive into intent-based access control. This is the concept of limiting access to just what is intended, it sounds simple enough, But how does one understand and define the intent? And more importantly, how to we enforce our intentions with access control?

We are proud to introduce you to the GitGuardian Honeytoken module. Honeytokens are decoy credentials that don't allow any real access but instead trigger alerts that reveal the IP address of whoever tried to use them. GitGuardian honeytokens can be used for intrusion detection in your own environments and tools.

Learn how to create AWS Honey Tokens that alert you when someone attempts to use them. Honey tokens are API or access keys that are real but harmless and can be used as an early warning system to know when an intruder has made it into your system. In this video, we run through the simple steps to be able. to create your very own AWS Honey Tokens using an open-source project and all your own infrastructure.

Discover the best practices and tools to secure your infrastructure as code (IaC) throughout the DevOps software development lifecycle. From threat modeling to monitoring, this comprehensive guide offers valuable insights to improve the security, reliability, and consistency of your IaC.

APIs are what run the internet today, modern applications are no longer monoliths, they are built upon hundreds of microservices and APIs are the glue that connects them. API security, however, is a massive blind spot for many organizations, from misconfigurations to leaked secrets, APIs give attackers ample opportunity to make intrusions into your systems.

Attackers are constantly targeting our software supply chains – abusing developers' trust, exploiting secrets, and contaminating the open-source ecosystem – to find a way in. Every step you can take to enhance your application and cloud security posture is critical. But there will never be zero risk. Trick your attackers and detect the early signs of intrusion with GitGuardian Honeytoken.

In this episode we are joined by Brendan O'Leary from ProjectDiscover we learn about the tools that hackers, bug bounty hunters, and red teams use to be able to map infrastructure and find vulnerabilities.

Audrey is a Senior Security Software Engineer at Microsoft in the Commercial Software Engineering team (CSE), which is a global engineering organization that works directly with the largest companies and not-for-profits in the world to tackle their most significant technical challenges.

At GitGuardian, we know that time can be a critical factor when any incident involving secrets occurs. That's why our platform allows you to quickly and easily automate parts of your incident response. We call these automations "Playbooks". Our Auto-access granting playbook grants the right access to the right developers so they can work on the issue as soon as possible.

The GitGuardian API lets you remediate your secret incidents from any platform you prefer. We are proud to release a new demo application to help you learn how to automate your workflows.

At GitGuardian, we work with customers of all sizes, some with many dozens of AppSec team members supporting tens of thousands of developers. The larger and more sophisticated the organization, the more they rely on Role-based Access Management to best administer user permissions.

Manual severity assignment requires a case-by-case examination of your open incidents and can be time-consuming for your teams. GitGuardian's severity scoring feature automates this approach, where and when applicable, to the incidents in your workspace so that you can save time on their triaging and prioritization.

In 2022, we scanned a staggering 1.027 billion GitHub commits! How many secrets do you think we found?For the 3rd year in a row, I am excited to share with you the findings of The State of Secrets Sprawl! This report from my team at GitGuardian is the most extensive analysis of secrets exposed in GitHub and beyond!

In this episode of The Security Repo we are joined again by Troy Santana from Critical Start to discuss how organizations can set up a Security Operations center regardless of their size. We explore exactly what a security operations center does and why you need one in the current security climate.

In this video, we explore how to securely manage and use secrets like API keys, passwords, credential pairs, and other sensitive information in python. We run through the basics of using environment variables and move on to more advanced scenarios such as managing different secrets for multiple environments.

Ransomware is not new, it has been around for more than 30 years but it has changed a lot over the years. This is a snippet from a full webinar on Ransomware with Grzegorz Bak that dives into the most alarming statistics of ransomware and how we can protect ourselves against it.

The cloud revolution has taken the world, and programming languages, by storm! In 2022, HCL, the HashiCorp Configuration Language, driven by the popularity of Terraform and Infrastructure-as-Code practices, became the #1 fastest-growing language on GitHub! Who would’ve expected that ten years ago?!

This is a brief overview of the components that make up the architecture behind a Kubernetes cluster with an explanation of what each one does.

How many Android applications on the play store are leaking their credentials and secrets! The answer comes from independent research conducted by Cybernews which shows nearly half of all applications on the Play Store are leaking secrets. Vincentas Baubonis, a security researcher from CyberNews joined GitGuardian on a Webinar to detail some research they conducted exploring how Android applications are leaking secrets.

The report reveals an unprecedented number of hard-coded secrets in new GitHub commits over the year 2022. And much more.

Staff augmentation is the idea of augmenting your internal staff with consultants and tools to give you the collective knowledge of security experts for all teams. We sit down with security consultant Troy Santana to discuss exactly what staff augmentation looks like and how it can be implemented.

Explore how developers utilize ggshield, the free and open-source GitGuardian CLI, to detect hardcoded secrets and participate in the remediation process. This video demo covers installing and authenticating ggshield, setting up pre-commit git hooks, working with GitGuardian in the PR process and GitHub Actions, and experiencing the remediation process from a developer's perspective.

GitGuardian’s real-time monitoring allows alerts to be sent immediately when an incident is detected.This high-level overview walks you through setting up, configuring, and testing alert integrations.

Discover how to create AWS Honeytokens, harmless but real API or access keys, to serve as early warning systems for potential intrusions. This video provides step-by-step guidance on creating your own AWS Honeytokens using an open-source project and your infrastructure.

In this episode, we sit down with Laurent Balmelli, the CEO of Strong Network, to discuss why development environments are vulnerable to malicious actors and how we can move to a secure cloud IDE (Integrated Development Environment).

Ross Haleliuk is a champion for Product Lead Growth (PLG) and in this episode sits down with Mackenzie Jackson to discuss how this concept has changed cyber security products and also how organizations can adopt a product lead growth mindset.

What is confidential computing? Former CTO and co-founder of Profian Nathaniel McCallum breaks down exactly what confidential computing is and how it is changing some of the challenges around security.

Nathaniel McCallum is the former CTO and co-founder of Profian and an expert in web assembly and confidential computing. This week on the security repo Dwayne McDaniel goes on a deep dive with Nathaniel to understand web assembly and how it relates to security but also peels apart the layers that surround the term confidential computing.

Join me for this live discussion with TAG Cyber analysts Chris Wilder and David Neuman to learn more about: How GitHub expands an organization’s attack surface Secrets sprawl and the threat it poses How SecOps teams can protect their organization by looking past their perimeter.

Download our cheat sheet on IAM, Identity and Access Management, best practices. It will help you make your cloud environments more secure.

In this episode, we invite Will Kelly to join Mackenzie and Dwyane in a conversation about implementing DevSecOps in software organizations. We tackle what DevSecOps is in reality, how can organizations implement a plan to roll out a DevSecOps approach, and the challenges that surround this.

This video is a clip from the full conversation about implementing and understanding DevSecOps in modern development companies.

Learn how to prioritize, investigate, and remediate hardcoded secrets incidents effectively with real-life examples and scenarios using GitGuardian's code security platform in a live discussion with Dwayne McDaniel, Security Advocate at GitGuardian.

2022's Top CyberSecurity Breaches illustrating the need for secrets detection.

Understanding your perimeter is an important part of eliminating secrets sprawl. In this short video, you will learn how GitGuardian defines your perimeter when using the GitGuardian Internal Monitoring Platform. Learn more at https://www.gitguardian.com

When it comes to secrets management and secrets detection, how mature is your organization? Find out on this anonymous assessment.

Join us for an exciting webinar with Cybernews researcher Vincentas Baubonis as we delve into their shocking research, revealing thousands of Android apps leaking hard-coded secrets like API keys. Discover the significance of this vulnerability, and its impact, and learn prevention methods to safeguard your applications.

GitGuardian scans GitHub round the clock for companies' exposed secrets and alerts their security teams before it’s too late. This short demo shows exactly how GitGuardian's Public Monitoring platform can help you identify your developers on GitHub, even when using personal accounts, monitor your perimeter for secrets leaks, and help you collaborate with developers to remediate exposure.

This video provides a high-level overview of incident remediation for hard-coded secrets in shared repositories, utilizing the GitGuardian monitoring platform. It covers incident definitions, prioritization, investigation, and steps for issue resolution.

A one pager summarizing the 2022 state of Secrets Sprawl with all key figures and findings.

With every hardcoded secret, the software supply chain attack surface grows larger, opening more avenues for the resourceful attacker. Remember Codecov? It all started with a hardcoded secret, ultimately leading to the downstream poisoning of 20,000+ CI pipelines and the exfiltration of more secrets than attackers could ever dream of. It’s time for us, developers and security pros, to take a hard look at our hardcoded secrets – or else, we accept living with the risks and consequences of secrets sprawl.

GitGuardian Playbooks enable easy automation of incident responses. With three distinct playbooks, including auto-healing, auto-access granting, and auto-resolution, teams can efficiently involve developers, grant access, and automate incident updates, streamlining the incident remediation process. Learn more about GitGuardian Playbooks in the documentation provided.

This white paper outlines our Secrets Management Maturity Model, a model to help your organization make sense of its actual posture and how to improve it.

In this short demo, we show exactly how GitGuardian can help identify secrets inside your source, quickly and effectively remediate incidents and prevent secrets from being committed into source code repositories.

Join Socket's CEO Feross Aboukhadijeh to learn about supply chain attacks, npm bin script confusion, and how Socket helps identify and block such attacks with a live demo inspecting JavaScript packages on the npm registry for malicious code.

Learn the basics of ggshield secure all your secrets

Join the webinar to explore GitGuardian's Secrets Management Maturity Model, which addresses the complexities of securing and distributing secrets in multi-cloud, containerized, and infrastructure-as-code DevOps environments. Discover how automated secrets detection and remediation can enhance security in development workflows, and learn how to develop an effective secrets management program for your organization.

Learn about the rising threat of ransomware to DevOps and SaaS services and the significance of ransomware-proof backups as the ultimate defense.

On September 15th Uber suffered a significant breach. In this video, we will break down exactly how Uber was breached from initial access to how the attacker moved laterally into different internal systems of Uber.

Developers need to prevent credentials from being exposed while working on the command line. Learn how you might be at risk and what tools and methods to help you work more safely.

Len Noe is both a white hack hacker and a pioneer in the transhuman movement. Currently, Len has 8 implants which he uses to enhance his offensive security activities. In this episode, I discuss with Len what Biohacking or bio modifications mean as a security threat and what we can do to defend against this new threat.

A .gitignore file is a great and simple tool we can use to prevent including unwanted files in a git repository. This file can be used to simply ignore files and directories but also be used to create complex rules and partial rules to ignore select files.

Live discussion with Eric Fourrier, CTO at GitGuardian, on how to detect compromised developer and DevOps environments with canary tokens and a demo of ggcanary.

The security repo is a Podcast hosted by David Raviv and Mackenzie Jackson who look at the latest trends in security with expert guests that are in the security trenches. This is the first pilot episode where the two cover supply chain risks in modern software development.

Secrets typically refer to digital authentication credentials which are access credentials like API Keys, Credential pairs, and security certificates to name a few. In this video Mackenzie looks at exactly what these secrets are, what they look like, why we use them and how we use them.

Join our next webinar and find out how we’re solving this at GitGuardian with ggshield, the open-source CLI that detects more than 350+ types of secrets.

Qubit Prague is a leading security conference in the CEE and SEE regions. Developer advocate talks to some of the speakers to get some of the highlights from the event.

See the new ggshield login command in action.

Join the session with C.J May, Senior Security Analyst, to learn about common security mistakes in setting up GitHub Actions and practical exploits of GitHub Actions workflows. Discover best practices for securing and hardening your CI workflows to enhance the security of your software development lifecycle.

Secrets like API keys, Security certificates, and other credentials are highly sensitive but can end up sprawled through our systems. In this video, we look at how we can uncover these secrets in our file directories using the open-source scanner GG-Shield.

GitHub Actions is an increasingly popular CI/CD platform. They offer powerful and easy-to-access features to build automation right into any GitHub repository. However, they also require special attention to avoid any compromise. Here are the best practices to secure them.

Not a day goes by without hearing about a source code leak in the news: Twitch, Samsung, Nvidia, Microsoft… We’re left wondering who’s going to be next? Join me this time, with Thomas Deschamps, Technical Product Manager at GitGuardian, to discuss: Why and how source code is leaking, The real (security) threats behind source code leaks and How we detect source code leaks on GitHub.

Join the webinar with Tiexin Guo, a renowned security engineer, and collaborator with GitGuardian, as he breaks down his articles on hardening Kubernetes clusters. Explore practical examples covering K8s componentry, threat models, and security topics like pod, network, authentication, authorization, logging, and auditing, with opportunities for participation and Q&A.

We run through the recent Samsung breach by Lapsus$ group taking a look into exactly what was leaked and if any credentials and secrets were exposed because of it (spoiler thousands were leaked). First, we take a look at exactly what was leaked from Samsung, next we scan it for any secrets and look into a couple of examples and finally discuss what is coming next from Lapsus$ group and how they potentially hacked Samsung.

On March 2nd GitGuardian will be releasing its annual ‘State of Secrets Sprawl Report’. This report analyzes all public commits made to GitHub throughout the year: How many secrets do you think GitGuardian detected in 2021? This year we are going deeper. Not only are we looking into the number of secrets leaked in public GitHub repositories (we have some big surprises here!!) but we are also looking into secrets leaked in public Docker images and even private git repositories.

In this tutorial, we look at how we can prevent secrets like API keys and other credentials from being merged into git repositories by installing a GitHub actions workflow with GGShield (Gitguardian Shield). Automatically scanning commits and PR for sensitive information.

In this video, we break down the recent source code leak at Twitch and discuss what makes our source code a vulnerability. We used GitGuardians secret detection engine to uncover any hidden credentials inside the Twitch source code, spoiler alert we found a lot... over 6,000. We walk through some possible attack paths malicious actors could take and examine why this is such a systemic problem for so many organizations today.

Managing secrets can be difficult especially at scale. In this video GitGuardian developer advocate, Mackenzie, chats with the maintainer and founder of OWASP WrongSecrets Jeroen Willemsen. The project is a fun gamified way to teach developers some of the worst practices when it comes to managing secrets and of course why those practices are bad. Jeroen also gives us a demo of the project to help you get started on the first few challenges.

Building secure software runs hand in hand with building high quality code. In this webinar we welcome Baptiste Bouffaut, the CTO of Ponicode to discuss code quality and break down; what is code quality? How can we ensure code quality and how code quality helps secure our applications?

Secrets like API keys and credentials can create a huge security risk when they get leaked into remote git repositories. Secrets inside git repositories must be considered compromised and revoked immediately, this is why it is much better to detect secrets before they enter your repository. This tutorial runs through how to create a pre-push hook that will run after the ' git push' command and block the push if any commits contain secrets.

In its 2022 report, GitGuardian extends its previous edition focused on public GitHub by depicting a realistic view of the state of secrets sprawl in corporate codebases.

A mini-tutorial to show how you can create a pre-commit git hook to detect secrets using the pre-commit framework and GGshield. GgShield is a free open-source tool to detect secrets in source code, scan your repo for leaks that uses the GitGuardian secrets detection engine.

Thousands of secrets like API keys are leaked into public GitHub repositories every day. But what actually happens when these secrets are leaked? This video has an easy to recreate experiment which monitors malicious activity after leaking an AWS credential into a public GitHub repository.

Leaked secrets like API keys are a severe security risk especially when they enter into git repositories. The best place to detect secrets is BEFORE they enter into a git repository. Using GG-Shield and the pre-commit framework you can quickly set up powerful secrets detection to block commits that may contain secrets before they enter your git repository. This video also goes through how we can utilize some of the additional features to ignore false positives and specific file paths.

Docker can be a blind spot for security, in this video we look at leaked credentials inside docker images. We evaluate how leaked secrets like API keys and certificats are leaked into docker images, how we can detect them and how we can protect our own images.

NIST launched an initiative to improve US cybersecurity, defining "critical software" and providing guidelines to secure it for federal agencies. Although aimed at federal agencies, the software industry is likely to adapt to these standards, enhancing security for businesses as well. Learn more in this video breakdown for easy application in your business.

Join the webinar with Cédric Teyton, founder and CEO at Promyze, to learn about the unique challenges of managing secrets in large tech teams and the importance of secure practices to prevent breaches. Explore how Promyze facilitates successful knowledge dissemination within large organizations.

Any developer has to set up his Git config at least once. Our cheat sheet will help you make this process a breeze, ensuring that you never push with the wrong profile again!

Container security is not just a runtime problem. Failure to treat it early on in the development life cycle has led to a surge in supply chain attacks, such as the recent Codecov breach. Join our next discussion with Henri Hubert, head of R&D at GitGuardian for a deep-dive into the problem of secrets in Docker images.

In this video, we show how to quickly set up GitGuardian’s internal repository monitoring product and scan your git repositories and prevent secrets like API keys, credential pairs and security certificates from leaking. The video also gives a quick tour into some of the key features of GitGuardian for both developers and small teams such as investigating and prioritizing incidents, sharing incidents with team members, viewing analytics and adjusting the detection policies.

Containers are no security devices. That's why we've curated a set of easily actionable recommendations to improve your Docker containers security. Check out the one-page cheat sheet.

GitGuardian developer advocate Mackenzie talks with Chris Riley from Splunk about his up and coming talk at the GitLab commit conference. They touch on what is DevOps analytics, how it can be impactful for the entire team as well as some of the key points his presentation will cover.

In this video, we will run through how to use GitGuardian Shield to create a pre-commit hook and GitHub action workflow to scan your commits for secrets. This tutorial aims not just to show the basics but explain what the tool is doing to help better understand where and how to implement secrets detection in other areas of the SDLC.

In this video, we discuss the Codecov breach, how attackers breached Codecov, how they stole sensitive information from Codecov customers for months, and what you should do if you are a user of Codecov.

In this video, we talk about the incredible presentation by biohacker and cyborg, Len Noe at the RSA conference where he discusses the implants he has which enhance his ability to be able to hack, turning himself into the attack vector.

GitGuardian Developer advocate recaps Tom Kellermann's presentation at the RSA conference which covers V4 4 of the modern-day bank heist report published by VMware, which looks at how attacks on the financial sector have changed. This presentation looks at how the Covid-19 pandemic has changed criminal organizations and how attacks on financial assets are now targeting information, not financial assets.

Our developer advocate brings you the highlights and trending news from the event to make sure you don't miss a thing. Today was the first day at this major cybersecurity conference and the highlight for us was a talk titled Attack & Defend: Protecting Modern Distributed Applications and Components from Johannes Ullrich and Jason Lam. This unique presentation used the two presenters to cleverly show how an attacker could exploit a modern distributed application and how someone could defend against such an attack.

Meet GitGuardian. Learn more about what is GitGuardian, what solution we offer for automated secrets detection & remediation. Learn more why you should monitor public and private source code to detect API keys, database credentials, certificates and more.

This 5 min demo shows GitGuardian’s Public GitHub Monitoring solution which allows companies to: Have visibility over, and better understand, its developers’ public activity on GitHub; Be alerted of potential leaks of secrets and other types of sensitive information that would be made public, in real-time, in order to nullify most of the damage very quickly. The solution comes in the form of a dashboard, where the company’s public GitHub activity and identified incidents are displayed.

This video analyzes how white hat hacking group Sakura Samurai was able to breach multiple organizations within the Indian Government.

Because git keeps a history of everything, it’s not often enough to simply remove the secret or file, commit, and push: we might need to do a bit of deep cleaning.

The United Nations Environment Programme was breached with over 100k employee records accessed. The ethical hacking group Sakura Samurai recently gained access to private United Nations data and systems in a significant data breach that was disclosed.

The State of Secrets Sprawl report measures the exposure of secrets within public repositories on GitHub and how this serious threat is evolving year to year.

Discover Application Security solutions to further secure the SDLC by implementing automated secrets detection in the DevOps pipeline ✔️

Secrets like API keys, credentials and security certificates are the crown jewels of organizations but can easily sprawl through all your systems. It is important to be able to gain visibility into your systems and code to find these secrets. In this tutorial, we will run through a simple python script to scan for secrets in local files and directories. The same principles can be applied to detect secrets anywhere in your CI/CD pipeline.

Storing and managing secrets like API keys and other credentials can be challenging, even the most careful policies can sometimes be circumvented in exchange for convenience. We have compiled a list of some of the best practices to help keep secrets and credentials safe.

Secret sprawl is the unwanted spread or distribution of sensitive data through multiple systems and services. This video, GitGuardians developer advocate looks at why secret sprawl is dangerous and how developers or organizations can prevent it.

In this video I will run through how to permanently delete files and rewrite your git history using two methods. The git reset command for simple scenarios and using the BFG repo cleaner for more complicated real-world examples.

In this document, we go beyond classical definitions of DevSecOps to express our vision of an emerging collaboration between Developers, AppSec, and Ops teams: the AppSec Shared Responsibility Model.

{{data.description}}

{{data.description}}

{{data.description}}