UpGuard Blog

Securing GitHub Permissions with UpGuard

GitHub is a popular online code repository used by over 26 million people across the world for personal and enterprise uses. GitHub offers a way for people to collaborate on a distributed code base with powerful versioning, merging, and branching features. GitHub has become a common way to outsource the logistics of managing a code base repository so that teams can focus on the coding itself.

But as GitHub has become a de facto standard, even among software companies, it has also become a vector for data breaches— the code stored on GitHub ranges from simple student tests to proprietary corporate software worth millions of dollars. Like any server, network device, database, or other digital surface, GitHub suffers from misconfiguration.

Filed under: security, Validation, github

What Constitutes a Company's Web Presence?

Introduction

The Internet Footprint

There is much more to a company’s internet presence than just a website. Even a single website has multiple facets that operate under the surface to provide the functionality users have become accustomed to. The internet footprint for every company comprises all of their websites, registered domains, servers, IP addresses, APIs, DNS records, certificates, vendors, and other third parties-- anything that is accessible from the internet. The larger the footprint, the more digital surfaces it contains, the more complex are its inner workings, and the more resources it requires to maintain. Because although having an internet presence is basically a given these days, the risk incurred by that presence is not always acknowledged.

Filed under: cyber risk, third-party vendor risk, vendor risk

Security Ratings Explained

The Problem of Digitization

The digitization of business has increased the speed of commerce, the scope of customers, the understanding of consumer habits, and the efficiency of operations across the board. It has also increased the risk surface of business, creating new dangers and obstacles for the business itself, not just its technology. This risk is compounded by the interrelations of digital businesses as data handling and technological infrastructure is outsourced, as each third party becomes a vector for breach or exposure for the primary company. The technical nature of this risk makes it inaccessible to those without advanced skills and knowledge, leaving organizations without visibility into an extremely valuable and critical part of the business.

Filed under: cyber risk, cybersecurity, third-party vendor risk, security ratings, vendor risk

Resilience in the Age of Automated Hacking

When we think about cyber attacks, we usually think about the malicious actors behind the attacks, the people who profit or gain from exploiting digital vulnerabilities and trafficking sensitive data. In doing so, we can make the mistake of ascribing the same humanity to their methods, thinking of people sitting in front of laptops, typing code into a terminal window. But the reality is both more banal and more dangerous: just like businesses, governments, and other organizations have begun to index data and automate processes, the means of finding and exploiting internet-connected systems are largely performed by computers. There’s no security in obscurity if there’s no obscurity.

Filed under: automation, hack, cyber resilience

What are Security Ratings?

Security ratings are like credit ratings, but for the assessment of a company’s web-facing applications. Where a credit rating lets a company determine the risk of lending to a prospective debtor, a security rating lets it decide how risky it will be to deal with another in handling data. The comparison even flattens out when we remember one of the key principles ofcyber resilience: that cyber risk “is actually business risk, and always has been.”

Filed under: CSTAR, cyber risk, third-party vendor risk, security ratings

UpGuard CyberRisk and Fair and Accurate Security Ratings Principles

In June of 2017 the U.S. Chamber of Commerce posted the “Principles for Fair and Accurate Security Ratings,” a document supported by a number of organizations interested in the emerging market for measuring cyber risk. The principles provide a starting point for understanding the current state of security ratings and for establishing a shared baseline for assessing vendors in that market.

Filed under: CSTAR, cybersecurity, cyber resilience, security ratings, vendor risk, cyberrisk

Infrastructure Indexing: or, Why Server Headers Matter More than Ever

When we think about cyber attacks, we usually think about the malicious actors behind the attacks, the people who profit or gain from exploiting digital vulnerabilities and trafficking sensitive data. In doing so, we can make the mistake of ascribing the same humanity to their methods, thinking of people sitting in front of laptops, typing code into a terminal window. But the reality is both more banal and more dangerous: just like businesses, governments, and other organizations have begun to index data and automate processes, the means of finding and exploiting internet-connected systems are largely performed by computers. There’s no security in obscurity if there’s no obscurity.

Filed under: cyber risk, cyber resilience, server headers, indexing

Caught In The AWS Tarpit

Guest post by UpGuard engineer Nickolas Littau

While running a series of unit tests that make API calls to Amazon Web Services (AWS), I noticed something strange: tests were failing unpredictably. Sometimes all the tests would pass, then on the next run, a few would fail, and the time after that, a different set would fail.

The errors I was getting didn’t seem to make any sense:

Filed under: AWS, ruby, engineering

Cyber Resilience: What It Is and Why You Need It

 

The way businesses handle the risks posed by their technology is changing. As with anything, adaptability is survivability. When the techniques, methods, and philosophies of the past aren’t working, the time has come to find something better to replace them. Cyber resilience is a set of practices and perspectives that mitigate risk within the processes and workflow of normal operations in order to protect organizations from their own technology and the people who would try to exploit it. This includes all forms of cyber attacks, but also applies to process errors inside the business that put data and assets in danger without outside help.

Filed under: devops, cyber risk, cyber resilience, devsecops

How to Build a Sustainable Digital Business in the Cloud

Technology and Information

How much digital technology is required for your business to operate? Unless this document has traveled back in time, the chances are quite a lot. Now consider how much digital technology your vendors require to operate. The scope of technology grows quickly when you consider how vast the interconnected ecosystem of digital business really is. But digital business isn’t just about technology, it’s about information. For many companies, the information they handle is just as critical as the systems that process it, if not more so.

Filed under: cloud, cyber risk, digital resilience, misconfiguration, cyber resilience