Cider Blog

This weekend, GitHub security announced that they are investigating malicious activity, which appears to indicate that credentials associated with Travis-CI and Heroku GitHub integrations were compromised, and are actively used by threat actors to access private information of GitHub tenants which have installed these integrations. The fact that these applications are very common, combined with...

Today, we are proud to announce the release of the “Top 10 CI/CD Security Risks project” This extensive effort was led by Omer Gil, Director of Research at Cider Security, and myself, in collaboration with some of the industry’s top Application Security experts: Iftach Ian Amit (Advisory CSO @ Rapid7) Jonathan Claudius (Director of Security...

This isn’t yet another blog giving the SBOM 101. There is an abundance of those. This is a deep dive into things we need to consider to generate the most accurate SBOM. Authors Rotem Bar, Head of Research @ Cider SecurityDaniel Krivelevich, CTO @ Cider Security The more our industry learns about SBOM (Software Bill of Materials),...

TL;DR The default build authorization configuration in Jenkins — controlling the permissions allocated to pipelines — is insecure and is often left unmodified in production environments. To address this issue, you should use the “Authorize Project” and the “Role-Based Authorization Strategy” plugins to define secure build authorization configurations.

Dev environments have become a major part of today’s attack surface. And within them, the most lucrative assets are the systems responsible for CI and CD — those that build, test, and deploy code — and typically possess the secrets and access to the most critical assets of the organization. So it’s only natural that attackers are continuously on the lookout for novel ways to gain access to these systems.

Docker images are composed of layers. These containers, even after modifications and updates, may have secrets hiding in previous layers. One often overlooked but vital practice should be to check and verify that these layers don’t expose your secrets. We have built a tool that searches the different layers in a fun and easy way.

In the past few weeks, our world infrastructure has been under attack. The attack is very simple: Find a dependency package most of the world is using, hack into the developer’s account and update to a new version with some malware inside. Why was this possible? How can we protect ourselves? What are the potential problems and how can we address them?

The JavaScript ecosystem is highly reliant on dependencies. And all I wanted was a method to safely download my desired dependencies from the internet. The industry standard for doing so in Javascript is “NPM” or “Node Package Manager”. As a developer, when installing node.js software, I usually run “npm install” to download all the necessary packages...