Month: July 2025

Simple Steps to Make Your Code More Secure Using Pre-Commit

Simple Steps to Make Your Code More Secure Using Pre-Commit

By | | Comments 0 Comment

Build Smarter, Ship Faster: Engineering Efficiency and Security with Pre-Commit

In high-velocity engineering teams, the biggest bottlenecks aren’t always technical; they are organisational. Inconsistent code quality, wasted CI cycles, and preventable security leaks silently erode your delivery speed and reliability. This is where pre-commit transforms from a utility to a discipline.

This guide unpacks how to use pre-commit hooks to drastically improve engineering efficiency and development-time security, with practical tips, real-world case studies, and scalable templates.

Developer Efficiency: Cut Feedback Loops, Boost Velocity

The Problem

  • Endless nitpicks in code reviews
  • Time lost in CI failures that could have been caught locally
  • Onboarding delays due to inconsistent tooling

Pre-Commit to the Rescue

  • Automates formatting, linting, and static checks
  • Runs locally before Git commit or push
  • Ensures only clean code enters your repos

Best Practices for Engineering Velocity

  • Use lightweight, scoped hooks like black, isort, flake8, eslint, and ruff
  • Set stages: [pre-commit, pre-push] to optimise local speed
  • Enforce full project checks in CI with pre-commit run --all-files

Case Study: Engineering Efficiency in D2C SaaS (VC Due Diligence)

While consulting on behalf of a VC firm evaluating a fast-scaling D2C SaaS platform, we observed recurring issues: poor formatting hygiene, inconsistent PEP8 compliance, and prolonged PR cycles. My recommendation was to introduce pre-commit with a standardised configuration.

Within two sprints:

  • Developer velocity improved with 30% faster code merges
  • CI resource usage dropped 40% by avoiding trivial build failures
  • The platform was better positioned for future investment, thanks to a visibly stronger engineering discipline

Shift-Left Security: Prevent Leaks Before They Ship

The Problem

  • Secrets accidentally committed to Git history
  • Vulnerable code changes sneaking past reviews
  • Inconsistent security hygiene across teams

Pre-Commit as a Security Gate

  • Enforce secret scanning at commit time with tools like detect-secrets, gitleaks, and trufflehog
  • Standardise secure practices across microservices via shared config
  • Prevent common anti-patterns (e.g., print debugging, insecure dependencies)

Pre-Commit Security Toolkit

  • detect-secrets for credential scanning
  • bandit for Python security static analysis
  • Custom regex-based hooks for internal secrets

Case Study: Security Posture for HealthTech Startup

During a technical audit for a VC exploring investment in a HealthTech startup handling patient data, I discovered credentials hardcoded in multiple branches. We immediately introduced detect-secrets and bandit via pre-commit.

Impact over the next month:

  • 100% of developers enforced local secret scanning
  • 3 previously undetected vulnerabilities were caught before merging
  • Their security maturity score, used by the VC’s internal checklist, jumped significantly—securing the next funding round

Implementation Blueprint

📄 Pre-commit Sample Config

repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.5.0
    hooks:
      - id: trailing-whitespace
      - id: end-of-file-fixer
  - repo: https://github.com/psf/black
    rev: 24.3.0
    hooks:
      - id: black
  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.0.3
    hooks:
      - id: detect-secrets
        args: ['--baseline', '.secrets.baseline']
        stages: [pre-commit]

Developer Setup

brew install pre-commit  # or pip install pre-commit
pre-commit install
pre-commit run --all-files

CI Pipeline Snippet

- name: Run pre-commit hooks
  run: |
    pip install pre-commit
    pre-commit run --all-files

Final Thoughts: Pre-Commit as Engineering Culture

Pre-commit is not just a Git tool. It’s your first line of:

  • Code Quality Defence
  • Security Posture Reinforcement
  • Operational Efficiency

Adopting it is a small effort with exponential returns.

Start small. Standardise. Automate. And let every commit carry the weight of your engineering discipline.

Stay Updated

Follow NocturnalKnight.co and my Substack for hands-on DevSecOps guides that blend efficiency, compliance, and automation.

Got feedback or want the Zerberus pre-commit kit? Ping me on LinkedIn or leave a comment.

Oracle Cloud Breach Is a Transitive Trust Timebomb : Here’s How to Defuse It

Oracle Cloud Breach Is a Transitive Trust Timebomb : Here’s How to Defuse It

By | | Comments 0 Comment

“One mispatched server in the cloud can ignite a wildfire of trust collapse across 140,000 tenants.”

1. The Context: Why This Matters

In March 2025, a breach at Oracle Cloud shook the enterprise SaaS world. A few hours after Rahul from CloudSEK first flagged signs of a possible compromise, I published an initial analysis titled Is Oracle Cloud Safe? Data Breach Allegations and What You Need to Do Now. That piece was an urgent response to a fast-moving situation, but this article is the reflective follow-up. Here, I break down not just the facts of what happened, but the deeper problem it reveals: the fragility of transitive trust in modern cloud ecosystems.

Threat actor rose87168 leaked nearly 6 million records tied to Oracle’s login infrastructure, affecting over 140,000 tenants. The source? A misconfigured legacy server still running an unpatched version of Oracle Access Manager (OAM) vulnerable to CVE‑2021‑35587.

Initially dismissed by Oracle as isolated and obsolete, the breach was later confirmed via datasets and a tampered page on the login domain itself, captured in archived snapshots. This breach was not just an Oracle problem. It was a supply chain problem. The moment authentication breaks upstream, every SaaS product, platform, and identity provider depending on it inherits the risk, often unknowingly.

Welcome to the age of transitive trust. shook the enterprise SaaS world. Threat actor rose87168 leaked nearly 6 million records tied to Oracle’s login infrastructure, affecting over 140,000 tenants. The source? A misconfigured legacy server still running an unpatched version of Oracle Access Manager (OAM) vulnerable to CVE‑2021‑35587.

Initially dismissed by Oracle as isolated and obsolete, the breach was later confirmed via datasets and a tampered page on the login domain itself, captured in archived snapshots. This breach was not just an Oracle problem. It was a supply chain problem. The moment authentication breaks upstream, every SaaS product, platform, and identity provider depending on it inherits the risk, often unknowingly.

Welcome to the age of transitive trust.

2. Anatomy of the Attack

Attack Vector

  • Exploited: CVE-2021-35587, a critical RCE in Oracle Access Manager.
  • Payload: Malformed XML allowed unauthenticated remote code execution.

Exploited Asset

  • Legacy Oracle Cloud Gen1 login endpoints still active (e.g., login.us2.oraclecloud.com).
  • These endpoints were supposedly decommissioned but remained publicly accessible.

Proof & Exfiltration

  • Uploaded artefact visible in Wayback Machine snapshots.
  • Datasets included:
    • JKS files, encrypted SSO credentials, LDAP passwords
    • Tenant metadata, PII, hashes of admin credentials

Validated by researchers from CloudSEK, ZenoX, and GoSecure.

3. How Was This Possible?

  • Infrastructure drift: Legacy systems like Gen1 login were never fully decommissioned.
  • Patch blindness: CVE‑2021‑35587 was disclosed in 2021 but remained exploitable.
  • Trust misplacement: Downstream services assumed the upstream IDP layer was hardened.
  • Lack of dependency mapping: Tenants had no visibility into Oracle’s internal infra state.

4. How This Could Have Been Prevented

Oracle’s Prevention Gaps
VectorPreventive Control
Legacy exposureEnforce infra retirement workflows. Remove public DNS entries for deprecated endpoints.
Patch gapsAutomate CVE patch enforcement across cloud services with SLA tracking.
IDP isolationDecouple prod identity from test/staging legacy infra. Enforce strict perimeter controls.
What Clients Could Have Done
Risk InheritedMitigation Strategy
Blind transitive trustMaintain a real-time trust graph between IDPs, SaaS apps, and their dependencies.
Credential overreachUse scoped tokens, auto-expire shared secrets, enforce rotation.
Detection lagMonitor downstream for leaked credentials or unusual login flows tied to upstream IDPs.

5. Your Response Plan for Upstream IDP Risk

DomainBest Practices
Identity & AccessEnforce federated MFA, short-lived sessions, conditional access rules
Secrets ManagementStore all secrets in a vault, rotate frequently, avoid static tokens
Vulnerability HygieneIntegrate CVE scanners into CI/CD pipelines and runtime checks
Visibility & AuditingMaintain structured logs of identity provider access and token usage
Trust Graph MappingActively map third-party IDP integrations, revalidate quarterly

6. Tools That Help You Defuse Transitive Trust Risks

ToolMitigatesUse Case
CloudSEK XVigilCredential leaksMonitor for exposure of tokens, admin hashes, or internal credentials in open channels
Cortex Xpanse / CensysLegacy infra exposureSurface forgotten login domains and misconfigured IDP endpoints
OPA / OSQuery / FalcoPolicy enforcementDetect violations of login logic, elevated access, or fallback misroutes
Orca / WizRuntime postureSpot residual access paths and configuration drifts post-incident
Sigstore / CosignSupply chain integrityProtect CI/CD artefacts but limited in identity-layer breach contexts
Vault (HashiCorp)Secrets lifecycleAutomate token expiration, key rotation, and zero plaintext exposure
Zerberus.ai Trace-AITransitive trust, IDP visibilityDiscover hidden dependencies in SaaS trust chains and enforce control validation

7. Lessons Learned

When I sat down to write this, these statements felt too obvious to be called lessons. Of course authentication is production infrastructure, any practitioner would agree. But then why do so few treat it that way? Why don’t we build failovers for our SSO? Why is trust still assumed, rather than validated?

These aren’t revelations. They’re reminders; hard-earned ones.

  • Transitive trust is NOT NEUTRAL, it’s a silent threat multiplier. It embeds risk invisibly into every integration.
  • Legacy infrastructure never retires itself. If it’s still reachable, it’s exploitable.
  • Authentication systems deserve production-level fault tolerance. Build them like you’d build your API or Payment Gateway.
  • Trust is not a diagram to revisit once a year; it must be observable, enforced, and continuously verified.

8. Making the Invisible Visible: Why We Built Zerberus

Transitive trust is invisible until it fails. Most teams don’t realise how many of their security guarantees hinge on external identity providers, third-party SaaS integrations, and cloud-native IAM misconfigurations.

At Zerberus, we set out to answer a hard question: What if you could see the trust relationships before they became a risk?

  • We map your entire trust graph, from identity providers and cloud resources to downstream tools and cross-SaaS entitlements.
  • We continuously verify the health and configuration of your identity and access layers, including:
    • MFA enforcement
    • Secret expiration windows
    • IDP endpoint exposure
  • We bridge compliance and security by treating auth controls and access posture as observable artefacts, not static assumptions.

Your biggest security risk may not be inside your codebase, but outside your control plane. Zerberus is your lens into that blind spot.

Further Reading & References

Want to Know Who You’re Really Trusting?

Start your free Zerberus trial and discover the trust graph behind your SaaS stack—before someone else does.

JP Morgan’s Warning: Ignoring Security Could End Your SaaS Startup

JP Morgan’s Warning: Ignoring Security Could End Your SaaS Startup

By | | Comments 0 Comment

The AI-driven SaaS boom, powered by code generation, agentic workflows and rapid orchestration layers, is producing 5-person teams with £10M+ in ARR. This breakneck scale and productivity is impressive, but it’s also hiding a dangerous truth: many of these startups are operating without a secure software supply chain. In most cases, these teams either lack the in-house expertise to truly understand the risks they are inheriting — or they have the intent, but not the tools, time, or resources to properly analyse, let alone mitigate, those threats. Security, while acknowledged in principle, becomes an afterthought in practice.

This is exactly the concern raised by Pat Opet, CISO of JP Morgan Chase, in an open letter addressed to their entire supplier ecosystem. He warned that most third-party vendors lack sufficient visibility into how their AI models function, how dependencies are managed, and how security is verified at the build level. In his words, organisations are deploying systems they “fundamentally don’t understand” — a sobering assessment from one of the world’s most systemically important financial institutions.

To paraphrase the message: enterprise buyers can no longer rely on assumed trust. Instead, they are demanding demonstrable assurance that:

  • Dependencies are known and continuously monitored
  • Model behaviours are documented and explainable
  • Security controls exist beyond the UI and extend into the build pipeline
  • Vendors can detect and respond to supply chain attacks in real time

In June 2025, JP Morgan’s CISO, Pat Opet, issued a public open letter warning third-party suppliers and technology vendors about their growing negligence in security. The message was clear — financial institutions are now treating supply chain risk as systemic. And if your SaaS startup sells to enterprise, you’re on notice.

The Enterprise View: Supply Chain Security Is Not Optional

JP Morgan’s letter wasn’t vague. It cited the following concerns:

  • 78% of AI systems lack basic security protocols
  • Most vendors cannot explain how their AI models behave
  • Software vulnerabilities have tripled since 2023

The problem? Speed has consistently outpaced security.

This echoes warnings from security publications like Cybersecurity Dive and CSO Online, which describe SaaS tools as the soft underbelly of the enterprise stack — often over-permissioned, under-reviewed, and embedded deep in operational workflows.

How Did We Get Here?

The SaaS delivery model rewards speed and customer acquisition, not resilience. With low capital requirements, modern teams outsource infrastructure, embed GPT agents, and build workflows that abstract away complexity and visibility.

But abstraction is not control.

Most AI-native startups:

  • Pull dependencies from unvetted registries (npm, PyPI)
  • Push unscanned artefacts into CI/CD pipelines
  • Lack documented SBOMs or any provenance trace
  • Treat compliance as a checkbox, not a design constraint

Reco.ai’s analysis of this trend calls it out directly: “The industry is failing itself.”

JP Morgan’s Position Is a Signal, Not an Exception

When one of the world’s most risk-averse financial institutions spends $2B on AI security, slows its own deployments, and still goes public with a warning — it’s not posturing. It’s drawing a line.

The implication is that future vendor evaluations won’t just look for SOC 2 reports or ISO logos. Enterprises will want to know:

  • Can you explain your model decisions?
  • Do you have a verifiable SBOM?
  • Can you respond to a supply chain CVE within 24 hours?

This is not just for unicorns. It will affect every AI-integrated SaaS vendor in every enterprise buying cycle.

What Founders Need to Do — Today

If you’re a startup founder, here’s your checklist:

Inventory your dependencies — use SBOM tools like Syft or Trace-AI
Scan for vulnerabilities — Grype, Snyk, or GitHub Actions
Document AI model behaviours and data flows
Define incident response workflows for AI-specific attacks

This isn’t about slowing down. It’s about building a foundation that scales.

Final Thoughts: The Debt Is Real, and It’s Compounding

Security debt behaves like technical debt, except when it comes due, it can take down your company.

JP Morgan’s open letter has changed the conversation. Compliance is no longer a secondary concern for SaaS startups. It’s now a prerequisite for trust.

The startups that recognise this early and act on it will win the trust of regulators, customers, and partners. The rest may never make it past procurement.

References & Further Reading

Bitnami