(www.praetorian.com)

297 points cyberbender | 1 comments | 30 Mar 25 19:54 UTC | HN request time: 0s | source

Show context

junto ◴[30 Mar 25 21:13 UTC] No.43527708[source]▶

>>43527044 (OP) #

They weren’t kidding on the response time. Very impressive from GitHub.

replies(1): >>43527835 #

belter ◴[30 Mar 25 21:28 UTC] No.43527835[source]▶

>>43527708 #

Not very impressive to have an exposed public token with full write credentials...

replies(2): >>43527843 #>>43528012 #

toomuchtodo ◴[30 Mar 25 21:52 UTC] No.43528012[source]▶

>>43527835 #

Perfect security does not exist. Their security system (people, tech) operated as expected with an impressive response time. Room for improvement, certainly, but there always is.

Edit: Success is not the absence of vulnerability, but introduction, detection, and response trends.

(Github enterprise comes out of my budget and I am responsible for appsec training and code IR, thoughts and opinions always my own)

replies(3): >>43528509 #>>43528711 #>>43528803 #

koolba ◴[30 Mar 25 22:47 UTC] No.43528509{3}[source]▶

>>43528012 #

> Success is not the absence of vulnerability, but introduction, detection, and response trends.

Don’t forget limitation of blast radius.

When shit hits the proverbial fan, it’s helpful to limit the size of the room.

replies(1): >>43528615 #

1. toomuchtodo ◴[30 Mar 25 22:58 UTC] No.43528615{4}[source]▶

>>43528509 #

Yeah, I agree compartmentalization, least privilege, and sound architecture decisions are a component of reducing the pain when you get popped. It’s never if, just when.

↑

Public secrets exposure leads to supply chain attack on GitHub CodeQL