Security Teams Must Address Inherent Risk in Code Repositories
Security teams must get serious about monitoring risks and vulnerabilities within development platforms like Github. In this blog post, we’ll dive into the current state of these development platforms, their inherent risk and how security teams can protect their organization against risks like intellectual property leakage, secrets exposure and vulnerabilities.
Background
Development platforms, like GitHub and Bitbucket, are a necessary tool for any modern organization that operates their business on the Internet. Whether your organization runs a number of open source tools or services, or you host your entire platform’s codebase on development platforms, these platforms are the go-to standard for software development.
While these platforms are great tools for development teams looking to collaborate, they also inadvertently introduce new security risks to organizations. For every integration of tools and code, you increase your risk exposure of sensitive company information, intellectual property or vulnerabilities. Build logs can accidentally expose API keys, Amazon keys are constantly mined by cybercriminals to launch crypto mining clusters and source code from major Mobile Apps or even major operating systems are at risk. Clearly, development platform security is not just a secure SDLC problem, but it also is a Security team problem.
Existing open source tools only get you so far
So what do we do about it? An obvious first step would be to look for open source solutions. For example, one common tool set in the security teams arsenal deals with secrets exposure. Tools to automatically look at repositories and git projects have emerged, however they are limited in their capabilities. truffleHog and git-hound are two well known examples that take advantage of Github or Bitbucket APIs to search code (see other examples in the Appendix).
These tools cover a number of use cases that an attentive security engineer cares about:
- Secrets inside committed code, such as private keys, API keys or internal domains
- Regular expression plugins to find specific secrets, names or PII inside code
- Detection of what I call Dirty Words, such as internal project names, that can result in an incident that exposes too much internal company information
- CI/CD integration that fails a build if something is found or a rule is fired
The problem is that a lot of these tools only cover what you own on the development platforms, A.K.A. the accounts or repositories. So the question remains: how do you monitor these platforms for other common security problems such as PII leaks, secrets leaks, vulnerability identification and intellectual property leaks? There are a lot of OSINT frameworks and reference materials, but few, if any, focus specifically on searching development platforms for these concerns. This is important because it outlines a clear gap in coverage within the security community; code sharing websites are a digital risk problem.
Development Platform Threat Model
If open source tools don’t offer a comprehensive solution, how do we address these risks?
No two organizational threat models are the same, but a convenient way to model threats for development platforms can start by thinking like an attacker. What is usually at risk with code hosting platforms? If you were attacking your own organization, how could development platforms get you inside the network, or provide you enough information to craft a targeted attack? Although you’ve identified Github, for example, as an asset, what is it about Github that makes you vulnerable? What can help you protect assets on Github, and where are your gaps in coverage? This table with 3 example assets can be a good reference point for your organization on identifying gaps in coverage.
| Asset | Risk | Impact | Open Source Tools | Gap | ZeroFox Features |
| Intellectual Property - Repositories of Application | An engineer who has access to the code makes the repository public, or clones the repository and makes it public | If exposed can be used by cybercriminals to attack application or competitor can use | N/A | Yes - need to be able to search repositories for company names or project names to detect | Github & Bitbucket Datasource Foxscript - Impersonation Detection ZeroFox Onwatch - 24/7 coverage to escalate alerts |
| API Keys, Private Keys, Private or Secret application information | Secrets exposure - these are leaked or added accidentally to development platforms as a backup | Attacker uses secrets to access application or machines and then pivots throughout infrastructure | Yes - for repositories that you own. See Appendix A. | Yes - other repositories that are public that you do not own | Github & Bitbucket Datasource Foxscript - Key & Secrets Exposure Onwatch - 24/7 coverage to escalate alerts, custom threat nalysis OR custom Foxscript rules |
| Organizational infrastructure such as servers, endpoints and networking equipment | CVE is published and you need to prioritize patching. A PoC is published through educational purposes, leaks malice or researcher frustration | Attackers in the wild use the PoC to gain access to your infrastructure | N/A | Yes - need to scan a myriad of data sources especially development platforms, to monitor for chatter | Github & Bitbicket Data source Deep Web, Dark Web & Social data sources. Foxscript - CVE monitoring and PoC detection Onwatch - 24/7 coverage to escalate alerts, with custom threat analysis OR custom Foxscript rules |
In Conclusion
Although securing development platforms are traditionally an AppSec responsibility, they should also be a concern for your security team / incident response capabilities. The open nature of the web allows people to publish whatever they have on their computer onto these platforms, so making sure you can monitor these platforms according to your threat model helps provide a defense in depth strategy for your organization. ZeroFox dedicates itself to providing these capabilities with a cost effective approach: we integrate with the data source, help configure the platform for you, triage alerts for you and even create custom Foxscripts for your concerns. Reach out today for a demo!
Appendix
Here are other resources to learn more:
- https://github.com/ezekg/git-hound
- https://github.com/dxa4481/truffleHog
- https://github.com/guardian/dupin
- https://github.com/michenriksen/gitrob
- https://github.com/awslabs/git-secrets