Reducing technical leakage: Detecting software exposure from the outside-in

News | 22.06.2020

As customers, we can be a bit demanding when it comes to technology products. We want the latest products, features – or the most recent versions of those. We’re not stuck for choice though. Rather, our menu of technology products is always growing. These days, companies are all racing to push out products to satisfy our digital hunger. In fact, research conducted by Google highlighted that elite performing organizations deploy software updates to their end-users, on average, multiple times per day and on the lower end of that up to between once a month and between every six months. 

However, a combination of the rapid delivery of software, onset of digital transformation – which shifts software development practices online – and poor security practices, have increased the likelihood of sensitive technical data, such as code, technical credentials, and data storage solutions (to name a few), to be exposed online: 

  • It feels like every week we hear about another database that is discovered with customer records exposed? And, let’s face it, that is just what gets reported. Every day thousands of organizations’ engineering teams misconfigure their code repositories or databases to expose their contents to the public.
  • The recent Verizon Data Breach Incident Report 2020 states that errors are now more common than malware in data breach incidents. While misconfigurations accounted for 20% of all error varieties in 2018, this doubled to over 40%  in 2019. 
  • On top of that, researchers from the University of North Carolina State University have observed that not only is secret leakage pervasive — affecting over 100,000 repositories — but that thousands of new, unique secrets, identified as API and cryptographic keys, are leaked on Github at a rate of thousands per day.

Who’s Responsible?

Though these risks stem from software development practices, managing this exposure tends to fall under the security teams remit – unfair right? Almost like when a sibling makes a mess and you have to tidy it up – sigh. 

Tracking technical leakage exposure can be challenging, especially when lacking visibility of where these assets lie and internal resources. To manage and mitigate technical leakage on your behalf, Digital Shadows, from today, releases the new ‘unauthorized commit alert’ service within SearchLight, which identifies unauthorized commits to public code repositories emanating from collaborative software development tools. 

In this blog, Digital Shadows will provide an overview of this new capability:

Figure 1: Comprehensive set of digital risks 

Types of code you do not want exposed

One of the biggest challenges of software development is when secrets become exposed by developers. Secrets, in software terms, are forms of digital authentication, such as passwords, API, access keys, and more. Much like our passwords may be stored in an online password vault, secrets have their filing systems: code repositories. While most code repositories are private, cases have emerged whereby secrets have been exposed to public repositories, meaning those crown jewels are fully accessible to everyone. 

Researchers at North Carolina State University found “that not only is secret leakage pervasive — affecting over 100,000 repositories — but that thousands of new, unique secrets, identified as AP and cryptographic keys, are leaked on GitHub at a rate of thousands per day.” Further highlighting how exposure on code repositories, such as GitHub, was a growing concern raised by users on Twitter highlighting how passwords could be searched across GitHub – imploring GitHub to introduce new features, instantly, to address such exposure. 

Separately, In 2018, an attacker located an AWS credential within code in a private repository for Uber Engineers on Github. Though the repository was private, it is thought that the attacker either brute forced or password guessed the credentials – allowing them access to the app’s databases, stealing personal information on 57 million passengers and drivers – information including names, email addresses, and phone numbers. Ensuring data is protected doesn’t just mean the databases aren’t publicly available – but that the access to it has sufficient authentication practices in place too. 

Employees can inadvertently commit sensitive technical data to public repositories, especially if there is no guidance from internal security policies or education from the business on what should or shouldn’t be shared. Examples of sensitive data that could be inadvertently leaked are:

  • Proprietary code, potentially compromising your intellectual property
  • Internal network details and configuration data, giving hackers a view of your infrastructure
  • Live code that could be used for vulnerability research against public products and services

If companies can monitor their employees’ corporate activity on public code repos, then they can preemptively educate them on potential leakage, with the aim to avoid serious technical leakage events in the future.

Using SearchLight to detect technical leakage

In addition to monitoring for code exposure or secrets across public repositories, organizations can now track, with the “unauthorized commit alert”, their employees’ corporate activity on public code repositories. Identifying whether employees have unintentionally committed to a repository, provides organizations with a quick, scalable way to preemptively catch leakage before it becomes a serious threat.

Software Development: More than securing software from within

Like everything, software development is currently affected by the forces of digital transformation, which blurs network perimeters, meaning data is increasingly likely to be exposed online. On top of that, the nature of the software development industry, which demands rapid deliveries and multiple stakeholders working together on collaborative tools, has also increased the likelihood of sensitive data to be exposed publicly. To prevent the exposure of software online and to minimize threats to software, Digital Shadows recommends the following:

  • Monitor for technical assets:  Benefit from a set of free tools or paid tools to detect public code exposure – or sensitive company assets across public repositories, such as Github, BitBucket, or Gitlab. Searchlight, for example, detects technical leakage – and whether an employee has used their corporate email to publicly commit to repositories. Learn more about Digital Shadows capability here. Alternatively, free, open-source tools available include Git hound, which prevents sensitive data from being exposed or TruffleHog, which searches through repositories for secrets. 
  • Increase awareness: Individuals may not be clued up when it comes to securing technical data. Such a problem can be easily solved by better education and training around these risks. 
  • Ease of use: When it comes to software collaboration tools, such as GitHub or GitLab, ensure security protocols are set to prevent activity from being posted publicly

To learn more, please check out the resources on our web page about DigitalShadows

This article was originally published by Viktoria Austin on the DigitalShadows-Blog