""But," he added, "if people are not diligent, I see how it could be used. It's slick.""
""Using public hosted services like GitHub is not appropriate for enterprise code management and deployment," he added."
""Having a private GitLab/GitHub, service, or even your own git repository server, should be the default for business, making this attack impossible if [the threat actors] can't see the repository to begin with. The business should be the one that owns the repository; [it should] not be something you just let your developers set up as needed.""
Exposing AWS CodeBuild or build environments to the public increases the risk of compromise if threat actors can see repositories. Public hosted services like GitHub are not appropriate for enterprise code management and deployment. Businesses should use private GitLab or GitHub instances, or a self-hosted git server, as the default. Enterprises should own and control code repositories rather than allowing developers to set them up independently. IT or infosec leaders should provision and manage repositories. Developers should be users of those systems, not ultimate owners. Implementing safeguards for AWS CodeBuild users reduces the likelihood of successful attacks.
Read at InfoWorld
Unable to calculate read time
Collection
[
|
...
]