Secrets end up everywhere, from dev systems to CI/CD pipelines to services, certificates, and cloud environments. Vlad Matsiiako shares some of the tactics that make managing secrets more secure as we discuss the distinctions between secure architectures, good policies, and developer friendly tools. We've thankfully moved on from forced 90-day user password rotations, but that doesn't mean there isn't a place for rotating secrets. It means that the tooling and processes for ephemeral secrets should be based on secure, efficient mechanisms rather than putting all the burden on users. And it also means that managing secrets shouldn't become an unmanaged risk with new attack surfaces or new points of failure.
Segment Resources:
Vlad Matsiiako is the co-founder and CEO of Infisical – the leading open source secrets, identity, and access management platform.
Identiverse 2025 is returning to Las Vegas, June 3-6. Hear from 250+ expert speakers and connect with 3,000+ identity security professionals across four days of keynotes, breakout sessions, and deep dives into the latest identity security trends. Plus, take part in hands-on workshops and explore the brand-new Non-Human Identity Pavilion. Register now and save 25% with code IDV25-SecurityWeekly at https://www.securityweekly.com/IDV2025
Mike Shema
- CISA extends MITRE-backed CVE contract hours before its lapse – Nextgov/FCW
- Sneak peek: A new ASN.1 API for Python – The Trail of Bits Blog
Making parsing more secure and more consistent.
But also moving from a pure Python implementation to Rust. That means it'll be more performant, but the slow creep of Rust into other languages will be interesting to watch for. It wouldn't necessarily be a bad trend. After all, many packages have historically chosen C for similar performance reasons.
- Risky Bulletin: Android looks set to get its own Lockdown Mode
Competition on security features isn't common to see, but it's always welcome.
- Pixel-Perfect Trap: The Surge of SVG-Borne Phishing Attacks
I came across this on a recent Risky Bulletin.
I appreciate the novelty of SVG files being an attack vector for phishing payloads. Image files aren't new vectors for XSS. It used to be possible to put script tags inside the EXIF data of a GIF and see the browser render it.
When I see articles like this I wonder how much this SVG vector (ha!) is really a concern for users or how much it shows failures in various sites and apps to handle security better for users. As with all phishing, sites need make phishing-resistant authentication methods available to their users (and eventually required).
But if we were to talk about secure design principles, this seems like something that browsers, renderers, and security tools should be handling by default on behalf of users.
- Security audit of PHP-SRC – Quarkslab’s blog
It's nice to see investments in security audits that produce one-time review results as well as improving coverage for source code analysis and fuzzing. The reviews are helpful for identifying underlying design flaws or implementation mistakes, but it's the security tooling and fuzzing improvements that can help preserve code quality over the long term.
- Silicon Valley crosswalk buttons hacked to imitate Musk, Zuckerberg’s voices | TechCrunch
It's rather tame in terms of hacktivism (if that's still a term or concept these days). In general terms, it reflects the well-known challenge of security IoT and OT networks and shows that defacing web pages isn't the only avenue for antics.
In more specific terms, it also shows the political angles of appsec. Often those angles manifest in protecting users and their data through secure designs and features. But as the first article on MITRE's funding for managing CVEs showed, there are very direct political concerns for how infosec operates and serves a common good. And then there's the very specific example of political vindictiveness against Chris Krebs.
