Tag:

Tenable

Tenable finds GitHub workflow flaw in Microsoft repo

by Chief Editor May 4, 2026

written by Chief Editor

The Invisible Attack Surface: Why Your CI/CD Pipeline is the New Front Line

For years, cybersecurity focused on the “front door”—firewalls, login screens, and API gateways. But as development speeds up, the real danger has shifted to the “back door”: the Continuous Integration and Continuous Delivery (CI/CD) pipelines. The recent discovery by Tenable Research in a Microsoft GitHub repository serves as a wake-up call. A Python string injection flaw in the Windows-driver-samples repository allowed for remote code execution, potentially exposing repository secrets. When a project with 5,000 forks and 7,700 stars has this vulnerability, it isn’t just a bug in one codebase; It’s a blueprint for how modern software supply chains can be dismantled. The risk isn’t just about one leaked token. It is about the systemic trust we place in automation. As we move forward, the industry is shifting toward a reality where the pipeline itself is treated as a high-value target, equal in importance to the production server.

Did you know? Many organizations still rely on “default” permissions for their automation tokens. In the Microsoft case, researchers inferred the GITHUB_TOKEN likely operated with default read and write access since the repository predated 2023 security updates.

The Death of the ‘God Token’ and the Rise of Least Privilege

One of the most critical trends in DevOps security is the aggressive move away from long-lived, high-privilege tokens. For too long, developers used “God Tokens”—credentials with sweeping permissions that could create issues, push code, and modify settings across an entire organization. The future is Least Privilege Automation. We are seeing a transition toward:

Short-lived Credentials: Moving away from static secrets toward tokens that expire in minutes or hours.
OIDC (OpenID Connect): Instead of storing a secret key in GitHub, pipelines now use OIDC to request temporary access from cloud providers like AWS or Azure, eliminating the need for long-term stored secrets.
Granular Scoping: Rather than “Read/Write” access, permissions are being narrowed to specific actions, such as read-only access to the contents folder.

“The CI/CD infrastructure is part of an organisation’s attack surface and software supply chain,” Rémy Marot, Staff Research Engineer at Tenable

AI: The Double-Edged Sword of Pipeline Security

As we integrate Artificial Intelligence into our coding workflows, we are entering a period of “automated escalation.” AI is fundamentally changing how vulnerabilities like string injections are both created and found. On the offensive side, attackers are using LLMs to scan public YAML files and workflow scripts for patterns that suggest unsafe input handling. A vulnerability that might have taken a human researcher days to find can now be spotted by an AI agent in seconds. But, the defensive trend is equally powerful. We are seeing the emergence of AI-driven Guardrails. Future CI/CD systems will likely include:

Real-time Static Analysis: AI that blocks a commit if the workflow script introduces a potential injection point.
Anomaly Detection: Systems that flag a workflow if it suddenly attempts to access a secret it has never used before or connects to an unknown external IP.

Pro Tip: Regularly audit your `.github/workflows` files. Treat your YAML configurations as production code—subject them to the same peer review and security scanning as your primary application logic.

Moving Toward ‘Zero Trust’ DevOps

The industry is realizing that “internal” does not mean “safe.” The Tenable finding proved that a simple GitHub issue submission—an action available to any registered user—could trigger a vulnerable workflow. The future trend is Zero Trust for Pipelines. This means assuming that any input coming into the pipeline—whether it is a pull request, a comment, or an issue description—is potentially malicious. This shift involves implementing Software Bill of Materials (SBOM) and strict provenance checks. By verifying exactly who touched the code and which automated process built the binary, companies can ensure that a compromised pipeline doesn’t lead to a poisoned update being sent to millions of users.

For more on securing your development environment, see our guide on [Internal Link: Implementing DevSecOps Best Practices].

Frequently Asked Questions

What is a CI/CD pipeline attack?

A CI/CD attack targets the automated tools used to build and deploy software. Instead of attacking the final app, hackers target the pipeline to steal secrets or inject malicious code directly into the software before it is released.

Frequently Asked Questions — Microsoft Actions Python

Why is string injection dangerous in GitHub Actions?

String injection occurs when user-supplied text is executed as code. In GitHub Actions, if a workflow takes a user’s issue description and passes it directly into a shell script or Python command, an attacker can “inject” their own commands to take over the server running the workflow.

How can I secure my GitHub repository secrets?

Avoid using default permissions. Explicitly define the permissions key in your workflow YAML to restrict the GITHUB_TOKEN to the minimum access required for that specific job.

What is the role of the GITHUB_TOKEN?

The GITHUB_TOKEN is an automatically generated secret used by GitHub Actions to authenticate requests to the GitHub API, allowing the workflow to perform tasks like creating releases or commenting on issues.

Join the Conversation: Is your team treating your CI/CD pipeline as critical infrastructure, or is it still viewed as “background tooling”? Share your security strategies or request a question in the comments below.

Want to stay ahead of the next major vulnerability? Subscribe to our Security Insights newsletter for weekly deep-dives into the evolving threat landscape.

May 4, 2026 0 comments

Tech

Tenable warns of widening AI exposure gap in cloud

by Chief Editor February 23, 2026

written by Chief Editor

The Widening AI Exposure Gap: Why Cloud Security is Falling Behind

Organisations are facing a growing cybersecurity challenge: an “AI exposure gap.” This isn’t about AI *causing* breaches, but rather the rapid integration of AI, cloud technologies, and third-party software creating vulnerabilities that security teams struggle to identify and address. A recent report from Tenable highlights this critical mismatch between engineering speed and security capabilities.

The Software Supply Chain: A Major Weak Point

The report reveals a significant risk within the software supply chain. A staggering 86% of organisations have third-party code packages installed containing critical-severity vulnerabilities. Even more concerning, 13% have deployed packages with a known history of compromise, including instances linked to the s1ngularity and Shai-Hulud worms. This demonstrates that vulnerabilities aren’t just theoretical; they’re actively being exploited.

The increasing use of AI and Model Context Protocol third-party packages – found in 70% of organisations – further complicates matters. These integrations often bypass traditional security oversight, embedding AI deeper into systems and expanding the attack surface.

Identity and Access Management: A Critical Control Point

Identity controls are proving to be a major pressure point. “Ghost” secrets – unused or unrotated cloud credentials – plague 65% of organisations. Alarmingly, 17% of these unused credentials grant critical administrative privileges. Nearly half (49%) of identities with excessive permissions remain dormant, representing a significant potential entry point for attackers.

The report also raises concerns about permissions granted to AI services themselves, with 18% of organisations giving them rarely-audited administrative access. Non-human identities, like AI agents and service accounts, now pose a higher risk (52%) than human users (37%), due to “toxic combinations” of permissions across fragmented systems.

The Rise of “Invisible” Exposure

Tenable defines this challenge as an issue of “exposure management” – the process of identifying, evaluating, and prioritizing risks across all potential attacker entry points. AI adoption dramatically expands the number of systems and components that can inherit risk, adding new layers to applications, infrastructure, identities, and data. This creates a largely invisible exposure that many security teams are ill-equipped to manage.

The report identified severe risks in four key areas: AI security posture, supply chain attack vectors, least-privilege implementation, and cloud workload exposure.

What Can Organisations Do?

The report recommends a multi-faceted approach. Improving visibility of AI integrations is paramount, alongside tightening identity-centric controls. Implementing least-privilege practices for AI roles, removing “ghost” identities, and eliminating exposure from static secrets are also crucial steps. Recognizing that third-party code and external accounts now function as extensions of an organisation’s infrastructure is vital.

Liat Hayun, Senior Vice President of Product Management and Research at Tenable, emphasizes the demand for security teams to proactively account for AI systems embedded within infrastructure. She states that a lack of visibility and governance leaves teams vulnerable to new exposures, including over-privileged identities in the cloud.

Hayun advocates for focusing on the “unified exposure path” to move beyond managing “security debt” and towards managing actual business risk.

Pro Tip

Regularly audit and rotate cloud credentials. Implement multi-factor authentication (MFA) wherever possible to add an extra layer of security.

Future Trends to Watch

The AI exposure gap isn’t a static problem; it’s likely to worsen as AI becomes more pervasive. Several trends will exacerbate the challenge:

Increased AI Complexity: AI models will develop into more complex, making it harder to understand their internal workings and potential vulnerabilities.
AI-Powered Attacks: Attackers will increasingly leverage AI to automate and refine their attacks, making them more sophisticated and tough to detect.
Expansion of Non-Human Identities: The number of AI agents and service accounts will continue to grow, increasing the risk associated with non-human identities.
Decentralized AI Development: More AI development will occur outside of centralized IT departments, leading to shadow AI and increased security risks.

FAQ

Q: What is the “AI exposure gap”?
A: It’s the growing mismatch between the speed of AI and cloud adoption and the ability of security teams to assess and remediate associated risks.

Q: How significant is the risk from third-party code?
A: 86% of organisations have third-party code packages with critical vulnerabilities, and 13% have deployed compromised packages.

Q: What is exposure management?
A: It’s the process of identifying, evaluating, and prioritizing risks across all potential attacker entry points.

Did you know?

Non-human identities (AI agents, service accounts) now present a higher risk profile than human users, according to Tenable’s research.

Want to learn more about securing your cloud environment? Explore our other articles on cloud security best practices.

February 23, 2026 0 comments

Tech

Patching Lags for Vulnerabilities Targeted by Salt Typhoon

by Chief Editor January 24, 2025

written by Chief Editor

Escalating Cyber Threats and Nation-State Hacking

Nation-state hacking, such as the activities of Chinese hackers involved with the Salt Typhoon group, continues to pose significant threats to global cybersecurity. These sophisticated attacks target unpatched vulnerabilities in critical infrastructure, including telecommunications networks across the U.S. and other countries.

The Role of Unpatched Systems

One of the most notable risks associated with such cyber campaigns is the prevalence of unpatched systems. Recent data shows that 91% of vulnerable Microsoft Exchange Servers remain unpatched, despite available fixes since 2021. This highlights a persistent lapse in cybersecurity hygiene that nation-state actors exploit.

Pro tip: Regular patch management processes are essential to defend against these threats.

Adapting Cyber Defense Strategies

It’s critical for organizations to evolve their cybersecurity defenses to guard against ongoing nation-state threats. The perseverance of groups like Salt Typhoon necessitates a proactive approach to patch management and network monitoring.

For instance, the effective patching of recent Ivanti vulnerabilities demonstrates a move in the right direction. However, there’s much more work required across different sectors.

Future of Regulatory Action

With the rising threat landscape, regulatory bodies are pressed to update existing cybersecurity rules. The Federal Communications Commission, during Jessica Rosenworcel’s tenure, pushed for mandatory cybersecurity and supply chain risk management plans for telecoms.

Changes Under New Administration

The recent disbandment of the Cyber Safety Review Board (CSRB) under the Trump administration raises concerns about future cybersecurity preparedness and oversight. Whether these bodies will be revitalized or restructured remains to be seen.

Lessons from Real-Life Instances

Exploring past incidents provides a wealth of lessons for future cybersecurity readiness. Salt Typhoon’s multi-year campaigns underscore the importance of continuous vigilance, robust logging, and monitoring systems that can detect and counter stealthy intrusions.

Granular Defense Mechanisms

Security strategies must now encompass both technological enhancements and comprehensive policy updates. End-to-end encryption, regular security audits, and employee training can collectively bolster defenses against persistent cyber threats.

FAQs on Cybersecurity Threats

Q: Why is patch management crucial in countering nation-state attacks?

A: Unpatched systems are prime targets for hackers, offering easy access to sensitive data and backend systems.

Q: What can organizations do to improve their cybersecurity posture?

A: Adopt robust cybersecurity frameworks, enforce regular updates and patches, and engage in continuous monitoring.

Interactive Q&A: Reader Engagement

How is your organization preparing for evolving cyber threats? Share your experiences and strategies in the comments below!

Stay Informed and Secure

Stay ahead of cybersecurity developments and ensure your organization is protected. Explore our collection of articles and subscribe to our newsletter for the latest insights.

January 24, 2025 0 comments