March 21, 2023
In January, we received a stark reminder that the security of our CI/CD pipelines is a really big deal. Your CI/CD pipeline needs the power to deploy code into your infrastructure, but deployment requires a high level of privilege, which often includes the ability to SSH into servers, to talk to APIs, to push code into containers, and to spin infrastructure up and down. If your CI/CD pipeline gets compromised, those privileges fall into the hands of an adversary… which means that an adversary can push malicious code into your infrastructure… which is ~about the worst~ thing that can happen. In this blog, I’ll explain how to use BastionZero (BZ) Service Accounts paired with our Github Actions integration to secure your CI/CD pipeline’s access to your infrastructure.
March 7, 2023
Service accounts are an integral part of many modern workflows, especially those related to continuous integration, continuous delivery, and continuous deployment (CI/CD) tools. But managing their interconnectedness presents a unique challenge to IT and security teams. Elevated privileges enable these teams to execute applications with ease—but it is precisely this high level access that can create security risks if not managed correctly. In this blog post, we'll explore the benefits and risks associated with service accounts and how they impact your organization’s security posture.
March 1, 2023
Securing and managing a build pipeline is really complicated. And esoteric. In fact, I’m willing to bet that if you put 10 platform engineers from different organizations in a single room, you’d likely find that they work with at least 13 totally different flavors of CICD pipelines.
February 15, 2023
Well, CircleCI was breached. And many teams spent a large part of January rotating secrets and looking for indicators of compromise (IoCs). I think this breach is a really big deal, because it’s exposing the massive attack surface that can be created by our CICD pipelines. This is barely even about CircleCI --- this is mostly about a fundamental security issue that affects almost any CICD pipeline, whether it’s built on CircleCI or not.
February 10, 2023
If you're like most organizations, you've been focused on perimeter-based network activity within your office or corporate network. But with the rapid adoption of remote work paradigms and third-party vendors, that's all changed. And chances are, your IT and security policies haven't kept up.
February 1, 2023
As organizations continue to push the boundaries of innovation, remote access has become a cornerstone of growth and resiliency. However, when it comes to determining the total price of remote access, the answer cannot be discovered simply through a straightforward calculation.
January 23, 2023
Employees need access to technology, anywhere and anytime. But how can you balance risk with employees' need for access? Enter trustless access.
January 12, 2023
In this guest blog, we explore the key trends for remote access in 2023 according to Joe Stevens, former Chief Information Security Officer at Criteo.
December 14, 2022
In this article, we'll explore the threat of session cookie resale on the dark web and why it's a big deal. We'll also discuss how BastionZero limits the scope of these attacks.
December 12, 2022
Lessons learned from a workshop with the folks that run the Internet’s largest certificate authorities.
July 29, 2022
A VPN provides access to a private network. BastionZero provides access to infrastructure targets (servers, containers, k8s, dbs) with authentication, authorization and audit logging built in. So you can improve security while avoiding the need to build an infrastructure access system behind your VPN.
July 21, 2022
We're honored to place Second in the 2022 RSAC Innovation Sandbox Contest!
July 12, 2022
Sharon spent part of her morning revising the submission of an academic paper on the cryptographic protocol behind BastionZero. The team wrote an extremely short abstract about the MRZAP protocol and figured this description of the cryptographic protocol would be worth sharing! Voila!
June 29, 2022
I read CISA’s Cloud Security Technical Reference Architecture. Here's what you need to know.
June 16, 2022
Organizations frequently struggle to find the best way to provide their engineers with access their backend infrastructure.
June 14, 2022
A few weeks ago, our CEO, Sharon Goldberg, had the pleasure of speaking with Melinda Marks on ESG’s Women in Cybersecurity Podcast. They talked about getting into cybersecurity, struggles and challenges of breaking into cybersecurity, and advice and resources for those entering the space.
June 13, 2022
A few weeks ago, our CTO, Ethan Heilman, had the pleasure of speaking with Steve Stonebraker on the Ephemeral Security Podcast. They talked about getting into information security, how BastionZero works, and BastionZero’s potential features.
May 3, 2022
We're honored to announce that we are a top ten finalist for the RSA Conference Innovation Sandbox Contest, as one of the most innovative early-stage cybersecurity startups of the year. Thank you to our tenacious team for getting us to this milestone. BastionZero Recognized for Innovative Cryptographic Approach to Zero-Trust Infrastructure Access.
April 4, 2022
We had the pleasure of joining Timothy Peacock and Anton Chuvakin on The Cloud Security Podcast from Google, a weekly news and interview show with insights from the cloud security community. We covered our favorite definitions of zero trust, Sharon's analysis of the federal government's zero trust memo, deprecating VPNs, and the future of cloud security! | Google Cloud Security Podcast: EP59 Zero Trust: So Easy Even a Government Can Do It?
March 29, 2022
This is a post I’ve been waiting almost two years to write, and it tells the story about how BastionZero was born. BastionZero is a pandemic baby. We started out as a blockchain company and then pivoted into infrastructure cybersecurity right after COVID hit.
March 22, 2022
SSO is fantastic and super convenient. But breaches happen. But we can mitigate these risks so that a breach of your SSO provider does not lead to a compromise of your targets.
March 3, 2022
We were honored to be a part of Enterprise Security Weekly #263!
March 2, 2022
We’re thrilled to announce that we raised $6m in seed funding led by Dell Technologies Capital. Here we share how we started and where we’re heading next.
February 8, 2022
When I first read the federal government’s memo on it’s “transition zero trust”, I was jumping out of my skin with excitement. There’s lots of great stuff in that memo (see my earlier blog post) but what excited me most was the memo’s stance on VPNs.
January 27, 2022
Yesterday, the Office and Management and Budget (OMB) released a memo:“Moving the U.S. Government Towards Zero Trust Cybersecurity Principles”. The memo advises the Federal Government on what steps each agency must take to improve its cybersecurity. It looks like the government is planning to position itself as a cybersecurity leader, while also pushing the private sector into a more robust cybersecurity posture. Also, if you get into it, this memo is actually about a lot more than zero trust.
January 26, 2022
PwnKit is a new vulnerability that breaks the security model around privileged access management (PAM) to Linux machines. It allows someone with access to a Linux machine to escalate their privileges to root, and then execute commands that exceed their privilege. This bug was likely present in the Linux kernel for 12 years. This has resulted in a few screamy headlines, but I’m fairly unsurprised.
December 7, 2021
As the new kid in the infrastructure and remote access space, we wanted to take a moment to introduce ourselves. We are a group of cryptography PhDs, engineering leaders, and infrastructure experts and enthusiasts who think the remote access industry needs some shaking up. In fact, we believe everything about infrastructure and remote access needs to be made simpler and more secure.