"We Take Security Very Seriously"
Here we go again… another day, another breach. Are you numb to it already?
Here we go again… another day, another breach. Are you numb to it already?
Last week, one of my clients was affected by a security vulnerability with a 3rd party code scanning tool. What’s interesting is that they were SOC2 Type II certified as well. Type II means that you have 6 months of proven security controls throughout your environment.
Some OSS about Codecov will show they have 35 people employed there, but no one dedicated to security it seems (hope I’m wrong), it likely falls under Engineering. It’s rare to find organizations under 50 or even 100 employees with dedicated security people. However, to maintain SOC2 Type II compliance, I imagine you would need at least one person. I don’t want to judge though, but these are things you can consider. Doesn’t mean they would have been breached if they did though.
So how can we learn from this? Well, several things:
Enable all the security features available. The way this was discovered was someone noticed a discrepancy on the shasum returned. This is an optional feature, but if it was by default, could have been noticed sooner. (See FAQ’s on their page for more details).
Compliance Does Not Equal Security. We know this very well in the security industry, but many others outside don’t. Many big companies were breached and had some level of compliance and even large security teams, such as Target and Equifax. However, compliance is always a good start and better than nothing.
Review Your Permissions. I’m still trying to get details of what happened, but I would guess it had something to do with excessive privileges. On your side, check your pipelines and the 3rd party tools you are using and see if you need them. Consolidate where possible.
React Quickly. Make sure you have a process in place to react quickly. Luckily my client knew who to go to regarding security and we hopped into action. This notification came by email to and could have easily been missed or just forwarded into the ether, it does happen. Have a good IR Plan and the right people in the room to ascertain the severity of something like this in the future.
Take care,
Ayman