Kubiya.ai announces the launch of its DevOps Digital Agents.
Recently, Nissan North America confirmed a data breach at a third-party service provider. Details of the breach were highlighted in a notification that was filed with the Office of the Maine Attorney General on January 16, 2023. Here's what was learned from the report:
■ A software development vendor alerted Nissan of the breach in June 2022.
■ Nissan provided the vendor with customer data, which it used to develop and test software solutions.
■ The data was inadvertently exposed due to a poorly configured cloud-based public repository.
■ The breach impacted close to 18,000 customers.
As for the automobile giant's response, Nissan acted quickly, securing the exposed repository and launching an internal investigation. Through this review, Nissan determined the incident was most likely the result of an unauthorized person accessing the data, which includes full names, dates of birth, and Nissan account numbers. The company's investigation also found no evidence that credit card information or Social Security numbers were exposed, or that this information had been misused.
While the latter point is good news, there are still lessons to be learned from this incident. The first, is the importance of securing repository access such as GitHub, GitLab, Bitbucket, and more. Nissan is not alone. There are many other repository-related incidents like this. One example is the breach of Slack's GitHub repositories. After conducting its investigation, Slack tied the breach to stolen Slack employee tokens, which were then used to download private Slack code repositories.
In most cases, the issue comes down to a simple directive — businesses must take all the necessary actions to ensure that private repositories used for developing and testing remain private. I'm not saying they cannot utilize open repositories. Those are great for things such as sharing back to the community. For businesses with both, the onus is on security teams to regularly monitor and evaluate these repositories and identify those that are open and who should have access. When changes in the visibility of a repository occur, they must be alerted, logged, and evaluated by the security team.
A second lesson learned involves the use of real customer data for development and testing purposes. There is always a risk when introducing customer data into a sandbox, especially where the focus is building and testing, that security takes a backseat. This is precisely why introducing customer data is extremely dangerous.
From my experience, the main reason that businesses don't prioritize security in these environments is simple — they don't believe it's as important to secure and maintain the same levels of good configuration hygiene in test environments as in a production environment. Instead, they apply minimum security and safeguards, a practice that prevails despite the growing number of incidents where real data is leaked.
To stop the bleeding, remove real data from the sandbox and use synthetic data. Since sandboxes are typically used to test changes in configurations, processes, flows and more, they do not require real data. Any data that uses the same format is sufficient.
A failure to take these steps into account open businesses to a breach, the impact of which can be significant. In the case of Nissan, consumer confidence can soften after sensitive customer data is stolen. For affected customers, Nissan is providing free one-year identity protection services from Experian. But breaches like this can have long-term impacts on the brand. Nissan had to go public by sending out notifications and reporting them to the Office of the Maine Attorney General.
While awareness of these attacks continues to grow, there is little chance that incidents will abate unless organizations take action. Start by securing repositories and making sure that those which need to remain private stay that way. Next, ensure that your teams treat test environments the same as they do production environments when it comes to security. When done correctly, and with the aid of automatic tools, these steps can keep your organization and its customer data secure, while allowing teams to continue playing safely in the sandbox.
Industry News
Aviatrix® introduced Aviatrix Distributed Cloud Firewall for Kubernetes, a distributed cloud networking and network security solution for containerized enterprise applications and workloads.
Stride announces the general availability of Stride Conductor, its new autonomous coding product that transforms the software development landscape.
CircleCI unveiled CircleCI releases, which enables developers to automate the release orchestration process directly from the CircleCI UI.
Fermyon™ Technologies announces Fermyon Platform for Kubernetes, a WebAssembly platform for Kubernetes.
Akuity announced a new offer targeted at Enterprises and businesses where security and compliance are key.
New Relic launched new capabilities for New Relic IAST (Interactive Application Security Testing), including proof-of-exploit reporting for application security testing.
OutSystems announced AI Agent Builder, a new solution in the OutSystems Developer Cloud platform that makes it easy for IT leaders to incorporate generative AI (GenAI) powered applications into their digital transformation strategy, as well as govern the use of AI to ensure standardization and security.
Mirantis announced significant updates to Lens Desktop that makes working with Kubernetes easier by simplifying operations, improving efficiency, and increasing productivity. Lens 2024 Early Access is now available to Lens users.
Codezero announced a $3.5 million seed-funding round led by Ballistic Ventures, the venture capital firm dedicated exclusively to funding entrepreneurs and innovations in cybersecurity.
Prismatic launched a code-native integration building experience.
Check Point® Software Technologies Ltd. announced its Check Point Infinity Platform has been ranked as the #1 Zero Trust Platform in the latest Miercom Zero Trust Platform Assessment.
Tricentis announced the launch and availability of SAP Test Automation by Tricentis as an SAP Solution Extension.
Netlify announced the general availability of the AI-enabled deploy assist.
DataStax announced a new integration with Airbyte that simplifies the process of building production-ready GenAI applications with structured and unstructured data.