Key Highlights From the New NIST SSDF
In this article, we’ll be going over the 1.1 revision of The Secure Software Development Framework that was published earlier this year.
4 Reasons MSPs Should Monitor Their GitHub Footprint
In recent years, resorting to MSPs has become very popular for companies wanting to accelerate the digitization of their businesses. With this surge in popularity, MSPs now face the question: how to ensure we can meet our cybersecurity responsibilities?
How To Setup Your Jenkins Pipeline with GitGuardian in Kubernetes
In this tutorial, we will show how to integrate GitGuardian Shield to run on one of the most famous CI tools: Jenkins (with a cool bonus!).
Investigating, prioritizing, and remediating thousands of hardcoded secrets incidents
This article aims at providing application security teams with a guide to effectively prioritize, investigate and remediate hardcoded secrets incidents at scale.
DevSecOps and the AppSec Shared Responsibility Model
In their latest white paper, GitGuardian examines why implementing DevSecOps at scale to protect the modern software factory means evolving traditional AppSec. Read more to learn how the shared responsibility model adoption will unlock security in an agile world.
Infrastructure as Code - Everything You Need to Know
Infrastructure as Code is slowly but surely becoming norm for organizations that seek automation and faster delivery. Learn the big concepts powering it in this article.
CI Pipelines: 5 Risks to Assess
More and more parts of the software development process can occur without human intervention. However, this is not without its drawbacks. To keep your code and secrets safe, you should add the following security practices to your CI pipeline.
Hardening Your Kubernetes Cluster - Guidelines (Pt. 2)
In this second episode, we will go through the NSA/CISA security recommendations and explain every piece of the guidelines.
Hardening Your Kubernetes Cluster - Threat Model (Pt. 1)
The NSA and CISA recently released a guide on Kubernetes hardening. We'll cover this guide in a three part series. First, let's explore the Threat Model and how it maps to K8s components.
Hunting for secrets in Docker Hub: what we’ve found
In this article, we will explain why Docker images can contain sensitive information and give some examples of the type of secrets we found in public Docker images. Finally, we will compare our results to the ones we have with source code scanning.
Shift your CI to GitHub Actions
Learn how to build a modern CI pipeline using GitHub Actions to achieve testing, building, and pushing Docker images. Harden your pipeline by scanning for leaked secrets and credentials with the help of GitGuardian's gg-shield action.
Why SAST + DAST can't be enough
Static and dynamic app testing are cornerstones for any comprehensive AppSec program, yet they rarely rise up to the challenges of fully securing modern software. Discover why secrets are one of their critical blind spots.
NIST's recommendations for secure DevSecOps
Get a taste of NIST's upcoming value propositions and steps to help companies produce secure software by our cybersecurity specialist Shimon Brathwaite.
How Adding Security into DevOps Accelerates the SDLC (Pt. 2)
Second part of our guided tour through the SDLC, focusing on the fundamental technology enabling DevOps: the CI pipeline. We will also touch on deployment orchestration, maintenance and incident response.
How Adding Security into DevOps Accelerates the SDLC (Pt. 1)
Part one of a deep dive into SDLC and how it evolved to become what we call DevOps. Let's find out how adding security actually accelerates it.
Initial Access Techniques - MITRE ATT&CK
This article discusses the 9 initial access techniques as outlined in the MITRE ATT&CK framework and provides examples of how attackers have used these techniques as well as preventative measures that can be put in place.
Data Security — an Introduction to AWS KMS and HashiCorp Vault
While Vault and KMS share some similarities, for example, they both support encryption, but in general, KMS is more on the app data encryption / infra encryption side, and Vault is more on the secrets management / identity-based access side.
An Introduction to DevSecOps - Tackling Security with DevOps & Why It Accelerates Your SDLC
This article introduces DevSecOps, making security part of the entire software development process. It outlines why having a DevSecops approach not only makes the software more secure but also why it can speed up the development process.
Shift Left - Moving security to the development phase - the case of secrets detection in code repositories
With the expansion of the DevOps and DevSecOps models, the concept of “shift left” in the context of the development lifecycle has become quite popular. This article looks at practical ways organizations implement a Shift Left approach to development.
A Comprehensive Application Security Program - What should you include
Application security, known as AppSec, has become an extremely important part of the security program. This article looks at what makes a mature and comprehensive AppSec program.
GitOps - an extension of DevOps for modern infrastructure management
GitOps is an evolution of infrastructure as code, a framework that can drastically improve deployment speed and developer efficiency. Here we run through exactly what GitOps is and how to practically implement it.
DevSecOps Glossary
A helpful glossary of common terms and definitions used in DevSecOps explained with amusing comics.
Git hooks - pre-commit, post-commit, post-receive
Automated secrets detection in your software development lifecycleDevelop fast, and secure things! Git hooks are extremely useful in the journey to replace as much of the human factor in the process of secure development as possible. In this blog post, I will take the
