< ciso
brief />
Tag Banner

All news with #ci cd security tag

49 articles · page 3 of 3

Amazon EC2 M4 Max Mac instances (Preview) for Apple builds

🚀 Amazon Web Services is previewing Amazon EC2 M4 Max Mac instances, powered by the latest Mac Studio hardware to accelerate demanding Apple build and test workflows. These next-generation Mac instances target developers building for iOS, macOS, iPadOS, tvOS, watchOS, visionOS, and Safari. M4 Max offers a 16-core CPU, 40-core GPU, 16-core Neural Engine, and 128 GB unified memory, plus Nitro-based networking and EBS bandwidth to support large-scale CI/CD and testing.
read more →

The CISO’s Paradox: Enabling Innovation While Managing Risk

🔒 Security leaders must shift from gatekeeper to partner, embedding practical risk controls early in product lifecycles so teams can deliver fast without exposing the business. By defining business-language risk tolerances, standardizing identity and logging, and automating guardrails in CI/CD and infrastructure-as-code, governance becomes an accelerator rather than a bottleneck. Pre-vetted, secure-by-default templates, runtime shielding and risk-based telemetry make the secure path easier for developers while preserving production resilience.
read more →

Typosquatted npm Package Targets GitHub Actions Builds

⚠️ A malicious npm package, @acitons/artifact, impersonated the legitimate @actions/artifact module and was uploaded on November 7 to specifically target GitHub Actions CI/CD workflows. It included a post-install hook that executed an obfuscated shell-script named "harness," which fetched a JavaScript payload (verify.js) to detect GitHub runners and exfiltrate build tokens. Using those tokens the attacker could publish artifacts and impersonate GitHub; the package accrued over 260,000 downloads across six versions before detection.
read more →

Malicious npm Package Typosquats GitHub Actions Artifact

🔍 Cybersecurity researchers uncovered a malicious npm package, @acitons/artifact, that typosquats the legitimate @actions/artifact package to target GitHub-owned repositories. Veracode says versions 4.0.12–4.0.17 included a post-install hook that downloaded and executed a payload intended to exfiltrate build tokens and then publish artifacts as GitHub. The actor (npm user blakesdev) removed the offending versions and the last public npm release remains 4.0.10. Recommended actions include removing the malicious versions, auditing dependencies for typosquats, rotating exposed tokens, and hardening CI/CD supply-chain protections.
read more →

Amazon ECS Adds Built-in Linear and Canary Deployments

🚀 Amazon ECS now supports built-in linear and canary deployment strategies to give teams finer control over traffic shifts during container rollouts. Linear deployments shift traffic in equal percentage steps with configurable step percentage and step bake time, while canary deployments route a small portion of traffic to the new revision for a configurable canary bake time before completing the shift. Both strategies provide a post-deployment bake time, support deployment lifecycle hooks, and can use Amazon CloudWatch alarms to detect failures and trigger automated rollbacks. The feature is available in all commercial AWS Regions and is supported via Console, SDK, CLI, CloudFormation, CDK, and Terraform for services using ALB or ECS Service Connect.
read more →

Protect AI Development Using Falcon Cloud Security

🔒 Falcon Cloud Security provides end-to-end protection for AI development pipelines by embedding AI detection into CI/CD workflows, scanning container images, and surfacing AI-related packages and CVEs in real time. It extends visibility to cloud model services — including AWS SageMaker and Bedrock, Azure AI, and Google Vertex AI — revealing model provenance, dependencies, and API usage. Runtime inventory ties build-time detections to live containers so teams can prioritize fixes, govern models, and maintain delivery velocity without compromising security.
read more →

Marine Corps Cuts ATO Delays with DevOps and Agile

🚀 Operation StormBreaker transformed how Marine Corps Community Services (MCCS) develops and authorizes IT. By creating a Marine Corps–authorized landing zone in AWS and pairing it with the Department of the Navy’s RAISE platform, MCCS implemented CI/CD pipelines and automated security checks to push security left. The result: ATOs that once took 18 months can now be granted in a day, saving roughly $1M per system and improving digital services for Marines and families.
read more →

Closing Common Cloud Security Gaps with FortiCNAPP Platform

🔒 FortiCNAPP unifies cloud security across posture, workload runtime, control plane, and application layers to address common gaps that expose cloud-native applications. The platform delivers continuous asset discovery and inventory mapping, built-in CSPM with compliance mappings, runtime workload protection, and CDR that correlates host telemetry with cloud audit logs via composite alerts. Integrated FortiWeb WAF/API protections and CI/CD scanning enable a shift-left workflow so developers and security teams can detect and remediate risks earlier without slowing delivery.
read more →

Implementing Defense-in-Depth for AWS CodeBuild Pipelines

🔒 This guide consolidates practical recommendations for securing AWS CodeBuild CI/CD pipelines, emphasizing webhook configuration, trust boundaries, and least-privilege access. It warns against automatic pull request builds from untrusted contributors and prescribes push-based, branch-based, and contributor-filtered webhook patterns, plus staged rollout using Infrastructure as Code. Additional safeguards include scoped GitHub tokens, per-build IAM roles, isolated build environments, CloudTrail logging, and manual approval gates for sensitive deployments.
read more →