GitHub has announced improvements to its secret scanning feature that extends validity checks to popular services like Amazon Web Services (AWS), Microsoft, Google, and Slack.
The validity check, launched by the Microsoft subsidiary earlier this year, alerts users whether exposed tokens found by secret scanning are active, allowing for effective remediation measures. It was first enabled for GitHub tokens.
The cloud-based code hosting and version control service said it intends to support more tokens in the future.
To toggle the setting, enterprise or organization owners and repository administrators can head to Settings > Code security and analysis > Secret scanning and check the option “Automatically verify if a secret is valid by sending it to the relevant partner.”
Earlier this year, GitHub also expanded secret scanning alerts for all public repositories and announced the availability of push protection to help developers and maintainers proactively secure their code by scanning for highly identifiable secrets before they are pushed.
The development comes as Amazon previewed enhanced account security requirements that will apply to privileged users (aka root users) of an AWS organization account to switch to multi-factor authentication (MFA) starting in mid-2024.
“MFA is one of the simplest and most effective ways to increase account security,” said Steve Schmidt, chief security officer at Amazon, adding an additional layer of security to help prevent unauthorized individuals from gaining access to systems or data.”
Weak or misconfigured MFA methods also ranked among the top 10 most common network misconfigurations, according to a new joint advisory issued by the US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA).
“Some forms of MFA are vulnerable to phishing, ‘push bombing’, exploitation of Signaling System 7 (SS7) protocol vulnerabilities, and/or ‘SIM swap’ techniques,” the agencies said.
“If these efforts are successful, it could allow the threat actor to gain access to MFA authentication credentials or bypass MFA and access MFA-protected systems.”
Other common cyber security misconceptions are:
- Default configuration of software and applications
- Improper separation of user/administrator privileges
- Inadequate internal network monitoring
- Lack of network segmentation
- Poor patch management
- Bypassing System Access Control
- Inadequate access control lists (ACLs) on network shares and services.
- Poor credit hygiene
- Unrestricted code execution
As a mitigation, it is recommended that organizations remove default credentials and harden the configuration; Disable unused services and enforce access controls; Prioritize patching; Auditing and monitoring administrative accounts and privileges.
Software vendors have also been urged to implement secure by design principles, use memory-safe programming languages where possible, avoid embedding default passwords, provide high-quality audit logs to customers at no extra charge, and mandate phishing-resistant MFA methods.
“These misconfigurations illustrate (1) a trend of systemic weaknesses in many large organizations, including those with mature cyber postures, and (2) the importance of software manufacturers embracing secure-by-design principles to reduce the burden on network defenders,” the agencies noted.