Last week, GitGuardian organized its yearly French security event, CodeSecDays. The event brought together many actors striving to protect digital infrastructures and featured insightful presentations and discussions on cybersecurity challenges and best practices. This article provides a recap of the key highlights from the event.
Securing Digital Supply Chains
Florent Kirchner, the French National Cybersecurity Strategy Coordinator, delivered a compelling talk titled "Securing Digital Supply Chains: Challenges, Strengths, and Opportunities." He emphasized the complexity and interdependence of modern software architectures, which rely heavily on code libraries, open-source components, and online service APIs. Kirchner highlighted the major challenge organizations face in mastering the overall security of these architectures amidst the constant evolution of dependencies.
State of the Threat
Kirchner provided an overview of the evolving threat landscape, citing notable incidents such as the Heartbleed OpenSSL vulnerability in 2012, the Microsoft data leak of 38TB due to a misconfigured Azure bucket in 2023, and the XZ utils compromise in 2024 that resulted from a patient attacker's three years of undercover work. He emphasized the asymmetric nature of the threat, where honest mistakes can lead to an explosion of the attack surface and an increase in attackers' resources to compromise digital infrastructures.
Key Points for Reflection
Kirchner presented four key points for reflection:
- Finding the needle in a haystack: Modern infrastructure is incredibly complex, and finding vulnerabilities is akin to realizing subtle inconsistencies in a constantly evolving system.
- Security is still largely artisanal: Automated vulnerability scanning is still in its early stages, and ironically, security products themselves are often highly vulnerable.
- The need for new tools: Securing immense and critical infrastructures requires a new type of tools.
- Regulatory landscape: Regulators are stepping in, with initiatives like the Cyber Resilience Act in Europe and the US national cyber strategy authorizing class actions against digital publishers.
Kirchner concluded by discussing the importance of political impetus in establishing controlled digital technology and the French dynamic in support of European strategic autonomy.
Roundtable Discussion
A roundtable discussion featuring Camille Taste (InfoSec Manager at Kaiko), Nicolas Perraud (CISO at Upflow & SecAtScale), and Eric Fourrier, GitGuardian's CEO, explored the real meaning of "shift left" in a security context. The panelists discussed the evolution of security practices, from focusing on individual lines of code to leveraging techniques for rapid code testing and early detection of vulnerabilities.
The panelists shared insights on the importance of finding a middle ground with shared responsibility and platform engineering, rather than placing the entire responsibility solely on developers. They emphasized the effectiveness of engaging developers through exercises like CTF and pen testing to help them understand the risks, challenges, and levers of secure coding practices.
The discussion also highlighted the importance of providing developers with tools to analyze code, pull requests, and work securely and efficiently. The panelists stressed that alerting without remediation is merely noise if no action can be taken. Eric Fourrier shared GitGuardian's experience of finding 200,000 secrets at a client's organization and the need to prioritize and address the historical backlog of vulnerabilities.
Security & Velocity: Reconciling Your Security Team with the Developers' Pace
In his talk, Kayssar emphasized the distinction between security and control. He used the drinking water treatment industry as a metaphor to illustrate why relying on dams to ensure security is misguided. Just as providing a continuous, secure supply of drinking water requires safeguarding the entire pipeline, Kayssar explained that modern platform engineering allows organizations to build security throughout their software development and delivery pipelines, rather than trying to bolt it on at the end.
Software Supply Chain: Do Companies Have a Good Handle on Their Attack Surface?
Loïc discussed the widespread use of open-source code and the growing risks of sophisticated attacks targeting it. A staggering 80% of code used in production comes from external sources. The latest trends in open-source dependency attacks are particularly concerning, including malicious packages, dependency confusion, and even dependency hallucination by AI tools.
So, how can we trust the open-source dependencies we rely on? The key is to implement concrete, practical measures to safeguard your software supply chain.
End-to-End Secrets Security: Myth or Reality?
Finally, Badr Nass Lahsen and Pierre Lalanne presented the benefits of combining secrets detection with secrets management and the end-to-end security use cases that this enables.
They emphasized the importance for an enterprise to oversee the numerous machine identities and their privileges over software assets, particularly how the secrets underpinning them should be properly managed. They also discussed how to mitigate bad practices such as hard-coding secrets.
Wrapping Up and Next: CodeSecDays Virtual!
CodeSecDays was an incredible opportunity for the French AppSec community to gather and exchange insights, tackle challenges, and discover best practices for securing digital infrastructures. In the wild world of modern software architectures, events like CodeSecDays are essential for sharing knowledge and pushing the limits of what's possible in cybersecurity.
Next up, CodeSecDays is headed your way! On Wednesday, June 26th, industry leaders from Snyk, Docker, CyberArk, Chainguard, CircleCI, and more will join forces with GitGuardian for a full-day event packed with roundtables, fireside chats, and hands-on sessions designed to fortify your code against evolving threats. Check the program and register here now!
Whether you're a veteran developer, cybersecurity enthusiast, or technology decision-maker, this virtual event is your chance to level up your skills and help shape the future of secure software delivery. Don't miss out!