(www.praetorian.com)

297 points cyberbender | 1 comments | 30 Mar 25 19:54 UTC | HN request time: 0s | source

Show context

junto ◴[30 Mar 25 21:13 UTC] No.43527708[source]▶

>>43527044 (OP) #

They weren’t kidding on the response time. Very impressive from GitHub.

replies(1): >>43527835 #

belter ◴[30 Mar 25 21:28 UTC] No.43527835[source]▶

>>43527708 #

Not very impressive to have an exposed public token with full write credentials...

replies(2): >>43527843 #>>43528012 #

toomuchtodo ◴[30 Mar 25 21:52 UTC] No.43528012[source]▶

>>43527835 #

Perfect security does not exist. Their security system (people, tech) operated as expected with an impressive response time. Room for improvement, certainly, but there always is.

Edit: Success is not the absence of vulnerability, but introduction, detection, and response trends.

(Github enterprise comes out of my budget and I am responsible for appsec training and code IR, thoughts and opinions always my own)

replies(3): >>43528509 #>>43528711 #>>43528803 #

timewizard ◴[30 Mar 25 23:10 UTC] No.43528711[source]▶

>>43528012 #

> Perfect security does not exist.

Having your CI/CD pipeline and your git repository service be so tightly bound creates security implications that do not need to exist.

Further half the point of physical security is tamper evidence. Something entirely lost here.

replies(1): >>43529074 #

Aeolun ◴[30 Mar 25 23:53 UTC] No.43529074[source]▶

>>43528711 #

I find that this is always easy to say from the perspective of the security team. Sure, it would be more secure to develop like that, but also tons more painful for both dev and user.

replies(1): >>43532721 #

1. timewizard ◴[31 Mar 25 08:50 UTC] No.43532721[source]▶

>>43529074 #

I don't code anymore. I like making devs suffer. And this is all good for the user. ;)

↑

Public secrets exposure leads to supply chain attack on GitHub CodeQL