Security Boulevard

via the comic humor & dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Rock Identification’ appeared first on Security Boulevard.

CISO mind maps are helpful, but they reinforce a tactical view of security. Learn why modern CISOs need a new mental model focused on strategy, value, and board-level impact.

The post CISO Transformation: It’s Time for a New Mental Model first appeared on Identient.

The post CISO Transformation: It’s Time for a New Mental Model appeared first on Security Boulevard.

MFA Fatigue Attacks on the Rise Yet another challenge is undermining the effectiveness of MFA: MFA fatigue attacks. In an MFA fatigue attack (sometimes also referred to as an “MFA bombing” or “push bombing” attack), a hacker who already possesses a valid username and password bombards the rightful user with repeated MFA login approval requests […]

The post Stopping MFA Fatigue Attacks Before They Start: Securing Your Entry Points appeared first on Security Boulevard.

The Growing Cybersecurity Threat in OT Environments As industries undergo digital transformation, the convergence of Information Technology (IT) and Operational Technology (OT) is fundamentally reshaping the landscape of critical infrastructure. This convergence brings notable benefits, including improved productivity, cost savings, and operational efficiencies. However, it also expands the attack surface of OT environments, making them […]

The post Securing OT Environments with Zero Trust: A Joint Approach by ColorTokens and Claroty appeared first on ColorTokens.

The post Securing OT Environments with Zero Trust: A Joint Approach by ColorTokens and Claroty appeared first on Security Boulevard.

Author/Presenter: Jason Fredrickson

Our sincere appreciation to BSidesLV, and the Presenters/Authors for publishing their erudite Security BSidesLV24 content. Originating from the conference’s events located at the Tuscany Suites & Casino; and via the organizations YouTube channel.

Permalink

The post BSidesLV24 – HireGround – Behavioral Interviewee-ing: Inverting the Corporate Interview to Get You Hired appeared first on Security Boulevard.

Bad Apple: Chinese firm banned by the U.S. is the shady entity behind a clutch of free VPN apps—with over a million downloads.

The post App Stores OK’ed VPNs Run by China PLA appeared first on Security Boulevard.

If your organization uses GitLab for managing your software development lifecycle, you must ensure you’re not misconfiguring the permissions of this open source DevSecOps platform. Doing so can expose your source code, along with sensitive data, while creating security risks. In this blog, we’ll explain how new Tenable plugins can help you keep your GitLab environment secure.

GitLab is one of the most popular source code management (SCM) and continuous integration and delivery/development (CI/CD) open-source solutions. Enterprise developers leverage GitLab to build their organizations’ web applications and automate their deployment. GitLab is available as both a SaaS application and an on-premises solution.

GitLab permissions model overview

GitLab’s structure is organized into these key components:

• Projects: This is the core unit where source code, issues, CI/CD pipelines and other development resources live. Each project contains its own repository and settings. A project can be public, private or internal.
• Groups: They contain one or more projects to help administrators define high-level organizational units designed for teams or organizations. By leveraging groups, administrators can for, example, automatically assign permissions and apply configurations to their projects. Self-managed GitLab instances and SaaS instances for organizations will automatically provide a top-level group which we will refer to as the “root” or “organization-level” group.
• User Namespaces: Every GitLab user automatically gets a personal namespace to host personal projects or code snippets to share with other users.

GitLab offers administrators the ability to define their access control policy on the different components according to their business needs. This includes:

• Setting the default visibility for newly created groups, projects or snippets. The three available options are private, internal and public. The public option makes the resource readable to anyone in the world without any authentication.
• Restricting visibility levels to limit the visibility options available to users when creating or updating resources such as projects, groups or snippets.

Use cases for the different types of visibility vary depending on the organization’s business needs. For example, if an organization is hosting an open-source project on a GitLab instance, it would make sense for administrators to set the visibility option for the project or the group to public. On the other hand, an administrator would most likely choose the private or internal options for a GitLab instance dedicated to an internal project.

Identifying permissions blindspots

We recently developed new Tenable Web Application Scanning plugins for GitLab, designed to alert our customers about overpermissive visibility levels. While conducting our research, we identified a number of permission blindspots in GitLab that guided the development of our plugins.

Limited visibility controls over personal namespaces

First, we realized that GitLab administrators who want to restrict visibility levels for their groups, projects and snippets can only do so in certain scenarios. 

In some cases, administrators can restrict visibility levels only for organization-level groups and for inherited objects. However, they can’t restrict visibility levels for personal namespaces.

According to GitLab’s documentation, the visibility restriction setting “does not apply to groups and projects created under a personal namespace” although there is a feature request to extend this functionality to enterprise users.

GitLab’s documentation provides a workaround for administrators to disable the creation of personal namespaces. However, the workaround’s functionality is limited.

Permission blindspots via GitLab’s GraphQL API: Groups, topics, snippets

Second, we identified that third-party tools for detecting excessive GitLab permissions rely mainly on the GitLab REST API. But GitLab also offers a GraphQL API, which provides a more flexible and efficient way to query data. Thus, we decided to see if we could use it for our detections.

GitLab instances expose a GraphQL Explorer interface on the https://GITLAB/-/graphql-explorer URL. Although this web interface slightly increases the GitLab attack surface, it doesn’t pose an immediate security risk because its role is mainly to offer a convenient way to send requests to the GitLab GraphQL API. If you’re not an authenticated user of the target GitLab instance, the requests will only allow retrieval of publicly available data.

Access to public groups

Let’s look at the type of public data you’re able to access via this method, starting with the following query to retrieve the public groups on a target instance:
 

Requesting public groups through the GraphQL API

 

Public groups fetched through the GraphQL API

The response returns all the public groups along with their webUrl, which allows an unauthenticated user to visit those URLs directly.

Access to public projects and their source code

With the URLs that were returned, an unauthenticated user can now follow the same operation to see the public projects and access their source code:
 

Requesting public projects through the GraphQL API

 

Public projects fetched through the GraphQL API

Access to project topics

An unauthenticated user also can retrieve information about project topics by specifying the title and description fields in the GraphQL query:
 

Requesting public topics through the GraphQL API
 

Public topics fetched through the GraphQL API

Access to public code snippets

We also observed that the code snippets feature can be public depending on the hosting type and the license level, and administrators can’t change the visibility level to private or internal as described in this official issue. The code snippets feature allows users to store pieces of code on the GitLab instance without adding them to a project repository.

That said, we noticed a difference in behaviour between the GitLab REST and GraphQL APIs: using the GraphQL API an unauthenticated user would be able to retrieve the list of public snippets but not with the GitLab REST API.

If you try to use the GitLab REST API to request the list of all public snippets without authentication through the https://GITLAB//api/v4/snippets/public URL, you’ll get a 401 error:

{"message":"401 Unauthorized"}

By trying to access the public snippets through either the https://GITLAB/explore/snippet or https://GITLAB/-/snippets URLs, the unauthenticated user will be redirected to the sign_in page. However, by using the GraphQL API, an unauthenticated user will be able to get the entire list of public snippets and browse its source code:

 

Requesting public snippets through the GraphQL API

Public snippets fetched through the GraphQL API

Depending on the content of the public code snippet shared by the GitLab users, this could potentially expose sensitive source code to unauthorized users.

Understand what “public” visibility means on GitLab

Note that unauthenticated users would be able to access GitLab APIs most of the time even in cases where single sign-on (SSO) authentication is enforced, which can help attackers gain access to the exposed data.

Using this method, we found many instances where unauthenticated users would be able to access publicly-available data from GitLab projects. We believe the reason for this is that many GitLab users probably assume incorrectly that the public visibility option restricts viewers to users within their organization. In fact, this option gives visibility to everyone in the world. 

In addition, the GitLab platform currently offers administrators a way to set the default visibility for code snippets and enforce access-control over them. However, this feature is not available to all users and depends on customers’ hosting mode and the license level.

This highlights the need for organizations to fully understand the permissions model of the third-party tools they use, and to proactively add controls when possible. To ensure proper implementation of any third-party tool or service, you should carefully review the product documentation to prevent security issues such as data exposure.

How Tenable Can Help

Our new plugins for GitLab help customers set up additional controls and monitor the potential misconfigurations discussed above: 

• GitLab Public Snippets Detected will check if any public snippet has been detected during the scan when a GitLab instance is detected.
• GitLab Public Projects Detected will report any public project available when a GitLab instance is detected.

The post How To Harden GitLab Permissions with Tenable appeared first on Security Boulevard.

Breaking down why traditional defense-in-depth strategies fail and what security teams must do to truly outsmart attackers. 

The post Defense in Depth is Broken – It’s Time to Rethink Cybersecurity  appeared first on Security Boulevard.

Smishing has evolved dramatically in recent years, with increased attack frequency and a much higher quality of the fraudulent landing pages.  

The post The Evolution of Smishing: 3 Ways to Detect and Prevent Attacks  appeared first on Security Boulevard.

NSFOCUS understands that the Security Operations team is facing increasing threats to their web applications and workloads are rising accordingly, a simple yet easy-to-use WAF has become more important than ever for effective Security Operations. The upcoming NSFOCUS Web Application Firewall (WAF) V6.0R09F00 (hereafter called as 6090) not only comprehensively reconstructs the architecture but also […]

The post New UI for NSFOCUS WAF V6.0R09F00 – Experience a Smoother Site Management appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..

The post New UI for NSFOCUS WAF V6.0R09F00 – Experience a Smoother Site Management appeared first on Security Boulevard.

See how a SafeBreach Labs researcher discovered a bypass for a fix to a critical vulnerability they previously reported in Google’s Quick Share data transfer utility.

The post An Update on QuickShell: Sharing Is Caring about an RCE Attack Chain on Quick Share appeared first on SafeBreach.

The post An Update on QuickShell: Sharing Is Caring about an RCE Attack Chain on Quick Share appeared first on Security Boulevard.

Password spraying attacks are becoming a serious threat, especially targeting Active Directory environments. These attacks enable attackers to exploit weak passwords and gain unauthorised access by applying login attempts across multiple accounts, making them difficult to detect. They also bypass account lockout mechanisms, causing significant risk to organisations. In this blog, we will detail how […]

The post How to defend against a password spraying attack? appeared first on Security Boulevard.

Kerberoasting attack targets the Active Directory environment to enable attackers to extract and crack service account credentials. Threat actors can gain elevated privileges by exploiting weak password policies and misconfiguration, which further results in lateral movement and deeper network compromise. In this article, we will learn about the harm that Kerberoasting causes, also its impact […]

The post How to Prevent Kerberoasting Attacks? appeared first on Security Boulevard.

The history of penetration testing begins with military strategies used to test enemy defenses. Over time, this evolved into a formal practice for identifying vulnerabilities in computer systems. This article traces the brief history of of penetration testing, from its early conceptual roots in military exercises, through the rise of ‘Tiger Teams’ in the 1970s, […]

The post Evolution and Growth: The History of Penetration Testing appeared first on Security Boulevard.

Why is Proactive NHI Management Essential to Prevent Breaches? One might often ponder, how can organizations significantly strengthen their cybersecurity postures? The answer lies in the proactive management of Non Human Identities (NHIs) to prevent breaches. This strategic approach in NHI management serves as a robust framework for organizations to safeguard their sensitive data and […]

The post Proactively Managing NHIs to Prevent Breaches appeared first on Entro.

The post Proactively Managing NHIs to Prevent Breaches appeared first on Security Boulevard.

Are Your Secrets Safe? Think Again! Data breaches and cybercrimes are major concerns. It’s an unfortunate reality that security breaches have become increasingly common. You might think your organization’s secrets are well-guarded, but are you confident they won’t fall into the wrong hands? Non-Human Identities (NHIs) and their Secrets Security Management have proven vital for […]

The post Empower Your Team with Efficient Secrets Rotation appeared first on Entro.

The post Empower Your Team with Efficient Secrets Rotation appeared first on Security Boulevard.

Are You Effectively Securing Your Cloud Deployments? Organizations rely heavily on cloud technology for their daily operations. However, the rising tide of cyber threats poses enormous challenges for businesses to keep their cloud deployments safe. According to a DefenseScoop report, a robust and secure cloud is instrumental to organizational mission success. Leveraging Non-Human Identities (NHIs) […]

The post Keeping Your Cloud Deployments Safe and Sound appeared first on Entro.

The post Keeping Your Cloud Deployments Safe and Sound appeared first on Security Boulevard.

Why is Securing Secrets and NHIs Necessary for Your Peace of Mind? Managing cybersecurity is a critical part of modern business operations, considering growing threat. But did you know that one of the most overlooked aspects of cybersecurity is the management of Non-Human Identities (NHIs) and secrets? For adequate control over cloud security, organizations must […]

The post Secure Secrets Setup: Sleep Soundly at Night appeared first on Entro.

The post Secure Secrets Setup: Sleep Soundly at Night appeared first on Security Boulevard.

The post Eclypsium @ RSAC 2025 appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.

The post Eclypsium @ RSAC 2025 appeared first on Security Boulevard.

The post Key Insights:
Is Vulnerability Management at Its Breaking Point? appeared first on AI Security Automation.

The post Key Insights:
Is Vulnerability Management at Its Breaking Point? appeared first on Security Boulevard.