How to secure codebases from secrets exfiltration

Chris Martinez
August 10, 2021
How to secure codebases from secrets exfiltrationHow to secure codebases from secrets exfiltration
Chris Martinez
August 10, 2021
On this page

The Nightfall blog is a knowledgebase for cybersecurity professionals with news and insights from the world of cloud security. Each week we’re publishing new content to help you stay up-to-date on cybersecurity topics and to prepare you for the issues and threats that occur every day on the job.

This month, we’re sharing a digest of short videos from our recent webinar - Learn How to Protect Codebases from Secrets Exfiltration. Catch up with the key lessons on protecting sensitive data in platforms like GitHub with quick videos, or watch the full on-demand presentation. We’re also sharing a set of blog posts on HIPAA compliance in essential SaaS apps for collaboration like DocuSign and Microsoft Teams. Compliance is always a main topic on the Nightfall blog, so we’re including a few more posts centered on achieving SOC2 and NIST compliance when working with cloud data. We round out this month’s content highlights with a pair of blog posts on securing data in application logs and data warehouses, plus our discussion with Datadog Deputy CISO Chris Sandulow on the CISO Insider podcast.

Thank you for keeping up with our updates! We hope you and your loved ones are having a wonderful and safe summer.

4 lessons for securing codebases from secrets exfiltration

Nightfall’s webinar on codebase security presents key concepts for preventing sensitive data sprawl within systems like GitHub. In case you missed the webinar or are just pressed for time, we’ve compiled the highlights from the presentation so you can find the answers you need for securing your codebases quickly.

Watch video clips on the scope of secrets exposure risk, how to spot secrets exfiltration and leakage, codebase security as it relates to the SaaS threat landscape, and best practices for securing codebases. You can also watch the full webinar on demand, featuring a discussion with Nightfall CTO & co-founder Rohan Sathe on eight simple and practical steps for preventing secrets from remaining within codebases and protecting your GitHub from unauthorized access.

CISO Insider S2E4 — A risk-based approach to data security with Chris Sandulow

MongoDB Deputy CISO Chris Sandulow joins Nighffall for a discussion on the challenges and opportunities he faces in his everyday work as a data and security steward at one of the leading document-oriented database services. One big idea rises to the top in our chat: how a risk-based approach to issues and productivity flexibility allows his teams and organization to do their best work as security practitioners, and as individuals. This approach is based on empathy for his teams, understanding customers’ needs, building a nontoxic team for continued success, and creating the right work-life balance at MongoDB. 

Read and listen to our chat with Chris here.

Is DocuSign HIPAA compliant?

When your business uses DocuSign to streamline signing contracts and other paperwork for your customers, you’re required to meet all compliance obligations for protecting customer data. For healthcare organizations, this means meeting all requirements for HIPAA compliance. You’ll likely need to invest in a variety of security controls and implement crucial security processes informing employees of appropriate behavior over SaaS applications like DocuSign. 

We created this blog post to help you understand your organization's requirements and how the nuances of HIPAA compliance will impact your data security policies when using DocuSign. Read more on the Nightfall blog.

Is Microsoft Teams HIPAA compliant?

Collaboration platforms like Microsoft Teams have only become more important post-COVID with teams being hybrid, decentralized, and distributed. Healthcare organizations specifically can benefit from Microsoft Teams as it’s an affordable platform that’s a no-brainer for organizations already leveraging Office 365 or other aspects of Microsoft’s services.

Read how healthcare organizations can get started with Teams and remain HIPAA compliant while using the platform — by prioritizing data security standards to protect PHI and measure risk.

Preventing data loss in data warehouses with the Nightfall Developer Platform

Data warehouses power your data analysis and business intelligence operations so you can level up your knowledge and progress toward bigger business goals. Like any key component of your tech stack, using data warehouses effectively also requires care and caution — especially when uploading and sharing sensitive information. 

To understand data protection for data warehouses better, we sat down with our CTO Rohan Sathe for a question and answer session. Rohan provides answers to the most important questions around data security for data warehouses like Snowflake, Amazon Redshift, and others that are in frequent use. Read where exfiltration risk originates when using data warehouses, why encryption is only part of the solution, and how cloud-native DLP can help solve the problems that lead to data exfiltration in data warehouses.

Prevent secrets, credentials, and PII leaking in application logs with the Nightfall Developer Platform

When your organization is crafting tactics and onboarding platforms that will protect sensitive information, your checklist of requirements could be missing a very important vector for attack, compliance risk or data loss: application logs.

The problem stems from the nature of application logs themselves — do you know which information exists in your application logs? Can you see it, or keep track of it? Since there are so many logs being generated every day by your systems and applications, it’s likely that you don’t even know what’s in there and what should be protected from exposure or loss among the massive amounts of data. On top of all this, application logs were not created with these questions and concerns in mind. Platforms that create and host application logs are not set up to protect sensitive information by default. 

Read why it’s essential to secure sensitive information in your application logs and why cloud-native DLP is the best solution for safeguarding all your data in logs.

Nightfall’s data protection & classification platform enables SOC 2 compliance

Security teams that work in highly regulated industries or build solutions for consumers must adhere to compliance controls and regimes required for their business. One of the most important compliance requirements for many companies is the SOC 2 audit. The SOC 2 audit provides detailed information and quality assurance about essential security factors such as the confidentiality of data under your organization’s stewardship, privacy controls, and many other standards.

Cloud-native data protection and classification with Nightfall can help your organization achieve SOC 2 compliance by proving your company handles sensitive data properly. The key aspects of SOC 2 compliance are data security, data availability, data processing integrity, data confidentiality, and data privacy. Here’s how to prepare for SOC 2 compliance using Nightfall’s data protection for SaaS apps to ensure you pass your SOC 2 audit with flying colors.

The NIST Cybersecurity framework: Security checklist and best practices

Black metal framework from below

The NIST cybersecurity framework was created in collaboration between industry leaders and the government. It contains standards, guidelines, and best practices to protect critical IT infrastructure. The approach emphasizes flexibility, cost-effectiveness, and practices that are iterative. 

The framework is designed to be used by businesses of all sizes in virtually every industry. What works for your company’s approach to implementing the Core Framework will look different from another company’s approach. That’s why we created this post with a NIST security checklist to help ensure your business is implementing the Core Framework best practices.

GLBA compliance checklist: Keeping financial data safe and secure

Man presenting to a group of people with laptops

GLBA compliance isn’t something to take lightly. These measures are strictly enforced by the Federal Trade Commission (FTC), and include civil penalties against financial institutions that don’t adhere to the GLBA financial privacy rule that can add up to $100,000 for each violation. In addition, officers or directors of the institution may be personally liable for civil penalties of up to $10,000 per violation. The most serious violations could be subject to further fines, and even imprisonment of up to five years. 

Fortunately, GLBA regulations are relatively straightforward; meeting GLBA compliance can be achieved with common-sense security measures, employee training, and regular privacy disclosures. Here’s what financial institutions need to know about GLBA compliance.

Nightfall Mini Logo

Getting started is easy

Install in minutes to start protecting your sensitive data.

Get a demo