Mornings With Mark

Exposing Secrets In Code

Informações:

Synopsis

A recent study by NCSU found that there are way more API keys and tokens uploaded to GitHub than previously thought. In fact, there's almost a near constant stream of secrets being exposed...why?!? It boils down to operational security. Automated build pipelines and access to cloud services that amplify what your team is capable of. Moving faster without some smart guardrails can lead to these issues. The good news? The same tool sets that are exposing this lack of opsec can help address it. Automated checks for secrets, tools specifically designed to handle secrets, and education around these issues can help reduce the likelihood of recurrence or prevent it from happening in the first place. References; the research page from NCSU (PDF), https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_04B-3_Meli_paper.pdf recent MongoDB issues via Brian Krebs, https://krebsonsecurity.com/tag/mongodb/