BLOG

Security Teams Must Address Inherent Risk in Code Repositories

Security teams must get serious about monitoring risks and vulnerabilities within development platforms like Github.  In this blog post, we’ll dive into the current state of these development platforms, their inherent risk and how security teams can protect their organization against risks like intellectual property leakage, secrets exposure and vulnerabilities.

Background

Development platforms, like GitHub and Bitbucket, are a necessary tool for any modern organization that operates their business on the Internet. Whether your organization runs a number of open source tools or services, or you host your entire platform’s codebase on development platforms, these platforms are the go-to standard for software development.

While these platforms are great tools for development teams looking to collaborate, they also inadvertently introduce new security risks to organizations. For every integration of tools and code, you increase your risk exposure of sensitive company information, intellectual property or vulnerabilities. Build logs can accidentally expose API keys, Amazon keys are constantly mined by cybercriminals to launch crypto mining clusters and source code from major Mobile Apps or even major operating systems are at risk. Clearly, development platform security is not just a secure SDLC problem, but it also is a Security team problem.

Existing open source tools only get you so far

So what do we do about it? An obvious first step would be to look for open source solutions. For example, one common tool set in the security teams arsenal deals with secrets exposure.  Tools to automatically look at repositories and git projects have emerged, however they are limited in their capabilities. truffleHog and git-hound are two well known examples that take advantage of Github or Bitbucket APIs to search code (see other examples in the Appendix).

These tools cover a number of use cases that an attentive security engineer cares about:

  • Secrets inside committed code, such as private keys, API keys or internal domains
  • Regular expression plugins to find specific secrets, names or PII inside code
  • Detection of what I call Dirty Words, such as internal project names, that can result in an incident that exposes too much internal company information
  • CI/CD integration that fails a build if something is found or a rule is fired

The problem is that a lot of these tools only cover what you own on the development platforms, A.K.A. the accounts or repositories. So the question remains: how do you monitor these platforms for other common security problems such as PII leaks, secrets leaks, vulnerability identification and intellectual property leaks? There are a lot of OSINT frameworks and reference materials, but few, if any, focus specifically on searching development platforms for these concerns. This is important because it outlines a clear gap in coverage within the security community;  code sharing websites are a digital risk problem.

Development Platform Threat Model

If open source tools don’t offer a comprehensive solution, how do we address these risks?

No two organizational threat models are the same, but a convenient way to model threats for development platforms can start by thinking like an attacker. What is usually at risk with code hosting platforms? If you were attacking your own organization, how could development platforms get you inside the network, or provide you enough information to craft a targeted attack? Although you’ve identified Github, for example, as an asset, what is it about Github that makes you vulnerable? What can help you protect assets on Github, and where are your gaps in coverage? This table with 3 example assets can be a good reference point for your organization on identifying gaps in coverage.

In Conclusion

Although securing development platforms are traditionally an AppSec responsibility, they should also be a concern for your security team / incident response capabilities. The open nature of the web allows people to publish whatever they have on their computer onto these platforms, so making sure you can monitor these platforms according to your threat model helps provide a defense in depth strategy for your organization. ZeroFOX dedicates itself to providing these capabilities with a cost effective approach: we integrate with the data source, help configure the platform for you, triage alerts for you and even create custom Foxscripts for your concerns. Reach out today for a demo!

Appendix

Here are other resources to learn more:

  • https://github.com/ezekg/git-hound
  • https://github.com/dxa4481/truffleHog
  • https://github.com/guardian/dupin
  • https://github.com/michenriksen/gitrob
  • https://github.com/awslabs/git-secrets