Cider Blog

This weekend, GitHub security announced that they are investigating malicious activity, which appears to indicate that credentials associated with Travis-CI and Heroku GitHub integrations were compromised, and are actively used by threat actors to access private information of GitHub tenants which have installed these integrations. The fact that these applications are very common, combined with...

Today, we are proud to announce the release of the “Top 10 CI/CD Security Risks project” This extensive effort was led by Omer Gil, Director of Research at Cider Security, and myself, in collaboration with some of the industry’s top Application Security experts: Iftach Ian Amit (Advisory CSO @ Rapid7) Jonathan Claudius (Director of Security...

This isn’t yet another blog giving the SBOM 101. There is an abundance of those. This is a deep dive into things we need to consider to generate the most accurate SBOM. Authors Rotem Bar, Head of Research @ Cider SecurityDaniel Krivelevich, CTO @ Cider Security The more our industry learns about SBOM (Software Bill of Materials),...

TL;DR The default build authorization configuration in Jenkins — controlling the permissions allocated to pipelines — is insecure and is often left unmodified in production environments. To address this issue, you should use the “Authorize Project” and the “Role-Based Authorization Strategy” plugins to define secure build authorization configurations.

Dev environments have become a major part of today’s attack surface. And within them, the most lucrative assets are the systems responsible for CI and CD — those that build, test, and deploy code — and typically possess the secrets and access to the most critical assets of the organization. So it’s only natural that attackers are continuously on the lookout for novel ways to gain access to these systems.

Docker images are composed of layers. These containers, even after modifications and updates, may have secrets hiding in previous layers. One often overlooked but vital practice should be to check and verify that these layers don’t expose your secrets. We have built a tool that searches the different layers in a fun and easy way.

In the past few weeks, our world infrastructure has been under attack. The attack is very simple: Find a dependency package most of the world is using, hack into the developer’s account and update to a new version with some malware inside. Why was this possible? How can we protect ourselves? What are the potential problems and how can we address them?

The JavaScript ecosystem is highly reliant on dependencies. And all I wanted was a method to safely download my desired dependencies from the internet. The industry standard for doing so in Javascript is “NPM” or “Node Package Manager”. As a developer, when installing node.js software, I usually run “npm install” to download all the necessary packages...

Collection of actionable measures — across Prevention, Mitigation, Detection and assessment — for coping with the Log4Shell chaos

I recently found a new method that allows secure code analysis mechanisms to be bypassed and even worse — abused to execute malicious code on their host. This allows anyone with access to a source control repository to run malicious code in sensitive environments — which may be abused to steal credentials, access tokens and more. This is a result of ongoing research around exploiting SAST scanners that was first presented at DEF CON 29 this summer.

A newly discovered security flaw in GitHub allows leveraging GitHub Actions to bypass the required reviews mechanism and push unreviewed code to a protected branch, potentially allowing malicious code to be used by other users or flow down the pipeline to production.