Log In
Get a Demo

See for yourself – run a scan on your code right now

Get a demo

CircleCI is currently investigating a security incident. We reached out to our customers using CircleCI as their development platform, but thought it important to share this information with the wider community.

Their official announcement can be read here, but the key takeaways are:

  • The incident is currently being investigated, but took place as early as December 21st, 2022.
  • Users should immediately rotate all secrets stored in CircleCI (this could be in project environment variables or in contexts).
  • If your project uses Project API tokens, they have all been invalidated and will need to be replaced.
  • CircleCI published an article to help their users walk through rotating their secrets.

While CircleCI is sharing information on the key compromise, it’s important to understand that a breach is a bit like an iceberg, with only a small portion of the total breach being visible. It’s completely reasonable to assume the attackers have compromised other systems in the network and CircleCI customer account information (secrets, source code, billing information, etc..) may also have been exposed.

Somewhat ironically, the timing of the breach seems to coincide with the “reliability update” pushed out on December 21st.

One security researcher has posted some of his investigation into related activity in his organization’s environment, including an IP address seen to be making “GetAuthorizationToken” API calls to the “ecr.amazonaws.com” service endpoint in a manner that seemed to indicate an interactive session.

Secrets are something of a necessary evil (a study in 2019 showed thousands of secrets leaked via GitHub projects every day) in development, but you can take steps to mitigate the security issues.

  1. Avoid using the same API keys in both staging and production environments.
  2. Ensure that temporary passwords used during testing do not get pushed to production.
  3. Scan your repositories for secrets (ShiftLeft can help with this) and determine if any you find are following security best practices. If you do need to use a hard coded secret, is it reachable by attackers?

Our users are of course welcome to reach out to us if they need any help modifying ShiftLeft jobs within their CircleCI environment.

About ShiftLeft

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit: www.shiftleft.io.

Share

Read Next

Cybersecurity
April 17, 2024 5 min to read

Why Is Vulnerability Remediation Hard?

Imagine yourself standing in a local fair at night. The bright lights from the games beckon you, and you see your favorite game, the one you’re best at – Whack-A-Mole. You excitedly walk up to the booth, plunk down your few dollars, and get ready to whack a bunch of plastic, animatronic moles back into […]

READ MORE
Cybersecurity
April 9, 2024 5 min to read

Understanding XSS vs CSRF

When it comes to web application vulnerabilities and attacks, malicious actors are a lot like Cookie Monster, screaming, “Me love cookie!” Digital cookies may not be as tasty as chocolate chips, but they’re just as deliciously enticing because they often contain sensitive information or enable attackers to gain unauthorized access.  While both Cross-Site Scripting (XSS) […]

READ MORE
Cybersecurity
April 2, 2024 10 min to read

Securing Your Python Codebase: Best Practices for Developers

Introduction Are you confident that your Python application can stand up to the latest cybersecurity threats? As Python’s popularity surges across various fields, the security of its codebases has become critical. This article delves into essential security practices for Python developers, aiming to fortify applications against cyber threats. You’ll walk away with a clear understanding […]

READ MORE

Read Next

Cybersecurity
November 22, 2021 5 min to read

Getting to Know Compliance in Software Development

On March 21, the Biden administration directed US companies to "harden your cyber defenses immediately." With these new federal guidelines for application security, the White House urged software developers to deploy "modern tools that can detect known and potential vulnerabilities" in their custom and open-source software (OSS). Learn more about how ShiftLeft can help.

READ MORE
Cybersecurity
October 24, 2021 4 min to read

Evolving Threat series — Infiltrating NPM’s Supply Chain ...

On March 21, the Biden administration directed US companies to "harden your cyber defenses immediately." With these new federal guidelines for application security, the White House urged software developers to deploy "modern tools that can detect known and potential vulnerabilities" in their custom and open-source software (OSS). Learn more about how ShiftLeft can help.

READ MORE
Cybersecurity
November 7, 2023 4 min to read

Safeguarding Your Web App: A Developer’s Guide to T...

Introduction Remote Code Execution (RCE) is a term every web developer should be intimately familiar with. It’s the dark cloud that could spell disaster for your meticulously crafted application. An RCE attack can lead to unauthorized access and manipulation of your application, giving attackers the leverage to exploit your system’s vulnerabilities. Let’s dive into the […]

READ MORE

See for yourself – run a scan on your code right now

try it for free
log in
Newsletter Sign Up

Stay informed of the latest news and critical events in AppSec space:

Twitter Linkedin Github
About
Platform Overview
Platform Components
Resources

© 2024 Qwiet. All rights reserved.