Name: GitHub Actions Exposed: Securing Critical Code Automation that Runs Your Software Factory
Start: 2024-09-06T01:18:00Z
End: 2024-09-06T01:18:55.000Z
Location: BrightTALK
Rating: 4

Legit is a new way to manage your application security posture for security, product and compliance teams. With Legit, enterprises get a cleaner, easier way to manage and scale application security and address risks from code to cloud. Built for the modern SDLC, Legit tackles the toughest problems facing security teams, including GenAI usage, proliferation of secrets and an uncontrolled dev environment. Fast to implement and easy to use, Legit lets security teams protect their software factory from end to end, gives developers guardrails that let them do their best work safely, and proves the success of the security program. This new approach means teams can control risk across the business – and prove it.

Secrets are a serious and prevalent security risk, but most secrets scanning tools don’t get the job done. Instead of making life easier for security, most tools dump piles of false positives or fail to address secrets beyond source code. 

Watch this demo with Liam McCamley, Senior Solutions Architect at Legit Security. Get a first-hand look how Legit enables you to: 

- Find secrets exposure across your SDLC – from Git history to build logs and shared workspaces – not just in source code.
- Spend less time struggling with false positives thanks to AI-powered, accurate results. 
- Continually scan for secrets. 
- Remediate and prevent secrets exposure automatically. 
- Scale to support the largest and most complex development organizations.

Demo: Finding Secrets Beyond Source Code

What risks are new Legit customers surprised to find lurking in their SDLCs?

 In this webinar, we’ll share the top unknown SDLC risks we uncover, and offer practical tips and advice on keeping them out of your SDLC.
Legit Senior Technical Account Manager Amanda Alvarez, a former DevSecOps engineer will walk attendees through the following common SDLC risks:

- Exposed secrets
- Unknown build assets
- Misconfiguration of build assets
- Developer permissions sprawl
- Missing AI guardrails
- IaC misconfigurations

She will also share detailed steps you can implement to prevent these vulnerabilities from creating risk in your SDLC.

The Top 6 Unknown SDLC Risks Legit Uncovers

Secrets are leaking everywhere from the developer environment today. Sensitive, business-critical secrets, cloud  keys, API tokens, PII, and more are routinely hardcoded into source code, stored in logs in plaintext, and reused and reshared across cloud services, productivity tools, and messaging apps. But even as threat actors shift left to take advantage of sprawling secrets estates, the longstanding, open-source scanners that many security teams rely on to find and secure their secrets first, before the adversary, are instead falling farther behind. 

Watch this webinar led by Liav Caspi, Co-Founder and CTO of Legit Security, where he explores what modern secrets scanning looks like today, and how to easily evolve any program beyond conventional detection techniques. using expanded visibility, automation, AI, and other cutting-edge techniques to our security advantage.  

Key takeaways:

- Discover why secrets have become the top initial attack vector for threat actors.
- Learn how conventional, open-source based tools leave major blind spots.
- Explore the advantages of a modern secrets scanner, and how to find and secure secrets at scale.
- Implement proactive measures to prevent future secret leaks and remediate existing ones.

The Open-Source Trap: How Legacy Secrets Scanners Fail Against Modern Threats

To deliver secure software development today, DevSecOps must be faster, more integrated, and more dynamic than ever before. But with increasing environment complexity, the rise of generative AI, and a host of novel threats targeting developer pipelines and services, traditional AppSec strategies no longer cut it. 

Watch this webinar with Joe Nicastro, Legit Security Field CTO, on “Innovating in AppSec: How to Take Back Control of Your SDLC with ASPM,” where we delve into cutting-edge strategies to implement a holistic approach to application security posture management (ASPM). 

Key takeaways: 
- Be aware that modern threats hide in the shadows of siloed services, tools, and pipelines. 
- Harden your build systems like run-time applications. 
- Build end-to-end visibility using your existing AppSec tools, from development to runtime. 
- Apply easy, practical next steps to move to ASPM and take control of your SDLC.

Innovating in Software Security: How to Take Back Control of Your SDLC with ASPM

In today's rapidly evolving tech landscape, development environments have become increasingly intricate, presenting new challenges for application and software security. As attackers shift their focus from traditional application targets to exploiting vulnerabilities within software supply chains, the stakes have never been higher.
 
Join us for an insightful Fireside Chat on this topic at the 2024 Black Hat Summit, as Enterprise Strategy Group's Melinda Marks, Practice Director of Application & Cloud Security and Legit Security Field CTO, Joe Nicastro, dive into the complexities of modern development pipelines, explore the emerging threats, and discuss strategies to safeguard your software supply chains from potential catastrophes.
 
Watch the session live or register for the on-demand recording to access Nicastro’s and Enterprise Strategy Group’s insight and best practices for improving:

• Software supply chain, visibility, and security
• Application security posture management (ASPM)
• And more

Proven Strategies to Safeguard Software Supply Chains from Catastrophe

GenAI is revolutionizing industries by creating innovative solutions that transform how we interact with technology. However, as with any powerful tool, GenAI introduces unique risks and vulnerabilities that need robust security measures.

Join us for an insightful webinar where John Tierney, Field CTO at Legit Security, will delve into the intricacies of securing Generative AI. This session will provide critical insights into the market importance of GenAI, practical use cases, inherent risks, and strategies to safeguard your AI initiatives.

Securing Generative AI & Preventing Vulnerabilities with Legit Security

Application Security Posture Management (ASPM) is here to revolutionize AppSec for greater efficiency and effectiveness, and in its latest Innovation Insights report, Gartner predicts that over 40% of organizations will adopt ASPM by 2026.  

ASPM promises to solve issues organizations have been experiencing first-hand – a lack of visibility into complex developer environments, siloed security responsibilities across multiple teams and lack of context into security issues. All of this results in a strain on traditional AppSec tools and an inability to effectively assess and respond to risks.

As pioneers of ASPM, we’re excited to share how you can reap immediate benefits in your organization today. Join our session as we share what ASPM is and how it can help you:    

- Eliminate inefficient security silos and boost team productivity 
- Automate security controls so you can do more with less 
- Improve prioritization on critical business risks to improve effectiveness 
- Transform your SDLC into a secure-SDLC, drive secure development practices, hygiene and prevent supply chain attacks.

Application Security Posture Management: The New AppSec Revolution

The SolarWinds attack in December 2020 put software supply chain security on the radar of many organizations, and new threats have been rapidly multiplying ever since. But surveys show that 71% of security professionals have misconceptions about what effective software supply chain security entails and have yet to fully adopt a modern approach to securing it despite evidence that traditional AppSec tools and methodologies are no longer sufficient.

Join Liav Caspi (CTO at Legit Security) and John Tierney (Field CTO at Legit Security) as they reveal the 3 most common software supply chain security pitfalls and how to avoid them so you can:

- Protect your business beyond 3rd-party and open-source dependencies
- Prevent malicious injections into source code and development pipeline
- Secure build systems as robustly as production system
- Avoid attacks by taking a holistic approach to software supply chain security.

3 Software Supply Chain Security Pitfalls and How to Avoid Them

Did you know that once a secret makes it into a Git commit history, it stays there forever and can be left undiscovered for months or years? Recent attacks like Uber and Toyota underscore the risks. Once hackers gain access to critical systems via an exposed secret, they can move laterally across an organization to orchestrate dangerous supply chain attacks.

Join us as we walk through the problem of secrets in the modern development environment and what it takes to detect and prevent secrets in even the most complex organizations. You will learn:

- How to detect different types of secrets across your entire SDLC, not just in source code, but also pipelines and even Confluence.
- Best practices for preventing secrets from being inadvertently pushed to production.
- The value of prioritization and context when it comes to secret scanning, and how this can help you remediate faster.
- How innovative tools like AI can reduce the noise and false positives associated with secrets scanning.

Why Coverage Throughout the SDLC is Critical to Your Security Posture

CISOs, AppSec, and DevSecOps teams realize they need to step-up software supply chain security with increased attacks and regulations as drivers. Security teams can accelerate their program maturity with the help of new tools and processes provided they are easy to implement and supercharge productivity. Modern security solutions also need to keep pace with the speed of their development team’s software releases, while effectively protecting the business from software supply chain attacks.  

Join Ricardo Lafosse, CISO of Kraft Heinz for a conversation on how his team adopted a modern software supply chain security approach that:

- Hardened SDLC systems and continually provides real-time visibility across their SDLC
- Gained quick adoption by the cross-functional teams that operationalize their use
- Accelerated the maturity of their overall application security program

Fortune 500 CISO Insights: Our Fast Track to Software Supply Chain Security

We have seen numerous headlines about the damage caused by hardcoding secrets in code. To combat this pervasive risk, security teams are turning to code scanners that look for secrets but soon realize that their visibility into all the places hardcoded secrets can be lurking is incomplete and outdated.   

Join us as we discuss practical methods you can use to prevent software supply chain attacks and reduce the damage caused by hardcoded secrets. In this webinar, you will learn:

- New techniques attackers are using to harvest your hardcoded secrets
- Why accurate visibility into your development pipelines, beyond just source code, is paramount to the success of secret scanning programs
- How to scale secret scanning initiatives to effectively support thousands of developers

Finding Dangerous Hardcoded Secrets You Didn’t Know Existed in Your SDLC

One of the most alarming types of software supply chain attacks is malicious source code modification that stays hidden as it progresses downstream in the development pipeline to create a backdoor for future malicious activities. Despite this common attack objective, the specific techniques bad actors use to access, submit, and/or modify source code varies, requiring AppSec and DevSecOps teams to address a wide range of risk mitigation measures to protect their businesses.

In this webinar, you will learn the latest best practices to:

- Prevent malicious source code modification by external and internal threats
- Stop maliciously modified source code from causing further downstream damage in your development pipelines 
- Protect popular source code management (SCM) systems like GitHub, GitLab and BitBucket

5 Best Practices to Stop Malicious Submissions in Your Development Pipeline

GitHub Actions can quickly hand attackers the keys to your company’s most critical code infrastructure — without the right controls and protections in place, the implications are more severe than you may know. 

The Legit research team recently analyzed more than 2.5 million GitHub Actions workflow files belonging to over 553,000 organizations and personal users. The team found that most GitHub Actions workflows are insecure in some way; they’re overly privileged, contain risky dependencies and misconfigurations, etc. 

Join this webinar to understand: 

- Key findings and consequences of our research into GitHub Actions security
- How GitHub Actions workflows are exploited in the wild
- Practical steps to harden your CI/CD pipelines and workflows and mitigate the risks lurking in your GitHub Actions activity

GitHub Actions Exposed: Securing Critical Code Automation that Runs Your Software Factory

github

ci/cd

Mitigation

Risk Assessment

Infrastructure

Infrastructure Management

Security

DevSecOps

Cyber Security

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

GitHub Actions Exposed: Securing Critical Code Automation that Runs Your Software Factory

Presented by

About this talk

More from this channel