GitHub has announced an improvement to its secret scanning feature that extends validity checks to popular services such as Amazon Web Services (AWS), Microsoft, Google, and Slack.
Validity checks, introduced by the Microsoft subsidiary earlier this year, alert users if exposed tokens found through secret scanning are active, thus enabling effective remediation measures. First enabled for GitHub tokens.
The cloud-based code hosting and version control service said it intends to support more tokens in the future.
To toggle the settings, business or organization owners and repository administrators can go to Settings > Security & Code Analysis > Secret Scanning and check the “Automatically check if a secret is valid by sending it to the appropriate partner” option.
Earlier this year, GitHub also expanded secret scanning alerts for all public repositories and announced the availability of push protection to help developers and maintainers proactively protect their code by scanning for highly identifiable secrets before they are pushed. .
The development comes as Amazon previewed enhanced account protection requirements that will force privileged users (also known as root users) of an AWS Organization account to turn on multi-factor authentication (MFA) starting in mid-September. 2024.
“MFA is one of the simplest and most effective ways to improve account security, offering an additional layer of protection to help prevent unauthorized people from gaining access to systems or data,” said Steve Schmidt, chief security officer at Amazon. .
Weak or misconfigured MFA methods also found a place among the 10 most common network misconfigurations, according to a new joint advisory issued by the US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency. (CISA).
“Some forms of MFA are vulnerable to phishing, push bombing, exploitation of Signaling System 7 (SS7) protocol vulnerabilities, and/or ‘SIM swapping’ techniques,” the agencies said.
“These attempts, if successful, may allow a threat actor to gain access to MFA authentication credentials or bypass MFA and access MFA-protected systems.”
The other prevalent cybersecurity misconfigurations are as follows:
- Default software and application settings.
- Inadequate separation of user/administrator privileges
- Insufficient internal network monitoring
- Lack of network segmentation.
- Poor patch management
- Bypass system access controls
- Insufficient access control lists (ACLs) on shared resources and network services
- Poor credential hygiene
- Unrestricted code execution
As mitigation, it is recommended that organizations remove default credentials and harden configurations; disable unused services and implement access controls; prioritize patching; audit and monitor administrative accounts and privileges.
Software vendors have also been urged to implement secure design principles, use memory-safe programming languages whenever possible, avoid embedding default passwords, provide high-quality audit logs to customers at no additional cost, and require methods Phishing-resistant MFA.
“These misconfigurations illustrate (1) a trend of systemic weaknesses in many large organizations, including those with mature cyber postures, and (2) the importance of software vendors adopting security by design principles to reduce the burden on defenders.” of the network,” the report states. agencies noticed.