Blog post 1/4: our beginners' guide!

Why read this blog?

How many thousands of API keys, database credentials, usernames and passwords, etc. do you think are leaked on GitHub... per day?

Whether your company is pushing code publicly on GitHub or not, your developers are! Is your business affected?

Read this blog if: you are unaware of the precise risks that your company could be facing on GitHub, and how much sensitive information can be found out there!

This is the first of four blogs delving deeper and deeper into GitHub security, data leaks on GitHub and how you can protect your company, so stay tuned!

Let’s start with secrets in source code…

Secrets can be anything that gives a developer a programmatic access to a system, a bit like a username and password. Common types of secrets found on GitHub include: API keys, database connection strings, private keys, certificates, ...

Sensitive information that can be found publicly on GitHub

As digital transformation continues, and the adoption of cloud and SaaS becomes prevalent, secrets are increasingly used by developers as a means of efficient connection between applications, internal services or external APIs. As a result, we are facing the issue of “secret sprawl”, where these secrets are becoming widely spread within organizations and the public domain. The problem here is the lack of visibility and control, leaving us with the difficult challenge of knowing exactly where our secrets are and if our sensitive information is at risk.

Secrets are worth stealing!

Leaking a secret can be like losing the key to your door, often with your address attached.

Your secrets can give access to sensitive business information that, if lost, stolen or unintentionally published by a developer, can significantly impact your revenues, operations, intellectual property, or reputation.

Business credentials pushed publicly to GitHub can be accessed by anyone, at anytime, from anywhere! Unlike complex vulnerabilities, such as zero days, credential stealing doesn’t require sophisticated techniques, allowing secrets to be compromised easily and discreetly.

Credentials leaked on GitHub: is my business affected?

You might be thinking: why am I reading this, my company isn’t using GitHub for a software development project?

Being a key player in the software development process, GitHub is used by 31 million developers [1]. Therefore, it is highly likely that even if you aren’t using the platform, your developers are.

Your developers use GitHub, and that's great!

The problem here is the struggle to monitor the entire activity of your developers on GitHub, let alone to prevent sensitive corporate information from being published publicly to the platform. Every single commit made to a public repository on GitHub has the risk of exposing your business's sensitive information and, like most companies, it is pretty much impossible for you to prevent this risk.

So what exactly are my developers doing on GitHub?

GitHub is unwittingly becoming a backdoor for hackers to damage your business - via secrets they find in source code published on the platform.

A few thousand credential sets are published on GitHub daily. This is generally unintentional, yet still an alarming figure! Let’s look at how this is happening…

The developer workflow
As developers are constantly aiming to deploy quickly and seamlessly, they are often tempted to embed secrets in their source code. Consequently, developers are pushing more and more critical company secrets onto GitHub. Note: Even if they have accidentally committed a credential, realize and then delete it, it is still present, and valid, in the commit history!

Developers mixing up their personal and professional repositories
Increasing numbers of company credentials are being published on developers’ personal repos- making it a root cause for over 80% of all company’s data leaks on the platform. This is well below the company’s radar, making it basically impossible to prevent! Developers using personal and professional repositories on a single GitHub account is creating concern here.

Misconfigurations
A misconfigured IDE, pipeline or .gitignore file often leads to sensitive information being unwittingly pushed to GitHub!

Stolen secret: what are the implications for my security?

Think of Uber and their huge data breaches, in both 2014 and 2016. In the first breach, hackers gained access to personal information of 100,000 drivers through AWS credential logins found on a public GitHub repository of one of their engineers [2]. Then, in 2016, personal data from 57 million drivers and customers was extracted by the same means, from a key left in a private repository with poor security [3].

This can happen to any company, simply by a hacker getting their hands onto a secret published on GitHub.

GitGuardian to the rescue: find and fix leaked credentials issues

This is where GitGuardian steps in. By monitoring all public GitHub activity in real-time, and alerting you of an incident in just 4 seconds, we help give you the control back and protect you from sensitive data leaks.

Interested in learning more about GitHub security, data leaks on GitHub and how you can protect your company? This post was our beginners' guide. We have three more posts on this topic coming your way. Don't miss out and subscribe to our blog today!

>>> Visit our website