How to Address Vulnerabilities in Microsoft GitHub Repositories

save
Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

Microsoft’s acquisition of GitHub for $7.5 billion has raised questions about the future of GitHub’s privacy and security within the developer community. Some developers are already moving to other code version control platforms like GitLab. As Microsoft works to assuage these concerns, it’s a good time to review GitHub security concerns beyond Microsoft’s responsibility. Past breaches have proven that a private GitHub repository is not the most secure place to keep sensitive and confidential information like secrets, i.e., passwords, API keys, SSH keys and certificates. These credentials equate to access to databases, cloud instance and privileged system control consoles that contain the crown jewels of an enterprise.

The Uber breach reported in November of 2017 is a high-profile example of secrets management gone wrong. Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc. They were able to breach Uber’s private GitHub repository and find code with imbedded secrets. With these secrets, the attackers were able to more laterally from Uber’s development environment to their production Amazon Web Services (AWS) account.  This is the same AWS account that the company used to process live company data, so it contained a lot of sensitive client information.

Uber likely has sophisticated DevOps, yet the breach reported in 2017 was not the first time Uber was hacked via secrets in GitHub. In 2014, attackers leveraged mishandled secrets in GitHub to steal the personal data of 50,000 people. In the aftermath of the 2014 breach, the ridesharing company sued GitHub for information about any users who accessed the repo page with the exposed secrets.

Uber is not alone. In the fall of 2017, Kevin Finisterre found private keys for DJIs – a Chinese drone manufacturer — web domains and AWS s3 keys publicly available in GitHub during a bug bounty program. Using this data, an attacker could access drone flight log data and any images users uploaded to DJI, including photos of government IDs, driver’s licenses and passports.  Some of the exposed flight log data was associated with government and military domains.  Ironically, the self-proclaimed “most lethal bounty hunter in the galaxy” found the keys to the kingdom in a repo called “skypixel_lottery.” Finisterre said that DJI also left some of their AWS s3 buckets open to the public, a common security mistake. This is one way to let an attacker in and weak secrets management allows them to use privileged escalation and credential theft to advance the breach.

Many of the publicly announced breaches are at companies that should know a thing or two about DevOps security. So what’s going wrong? The shift from monolithic applications, static servers and long release cycles to the dynamic, fast-paced world of DevOps has drastically changed how software is developed and deployed. However, in the race to go to market first, many organizations have not properly evaluated how they think about DevOps security.

DevOps developers now have more control over security than ever before. In many organizations, developers can check code into repositories with little to no oversight from security teams. As we saw, this code could contain access keys to production systems, secrets embedded in a file, for example. Sometimes it’s as simple as accidentally checking your own GitHub key into the source code management system. Sometimes developers falsely believe deleting the offending code solves the problem, but the leaked secrets could remain in the repo history. Truffle Hog is an open source tool that searches git repositories for secrets by digging deep into commit histories and branches.

No one should ever put any secrets into GitHub or any code repository, it doesn’t matter if it is a public, private repository or if the secrets are encrypted. Doing so increases your attack surface as anyone who can view the code will have direct access to system or infrastructure credentials that they might not be authorized to have.

According to the Twelve-factor App methodology, this is not only insecure, it is also bad application design because it introduces code dependencies on access tokens that are subject to change. This means an organization’s developers will need to change their code and rebuild their applications every time a secret needs to be rotated. Securing your secrets with a centrally managed secrets provider such as CyberArk Conjur Open Source is a step in the right direction because it manages credential rotation and security for you. However, you can remove API calls to your secrets provider with Summon, an open source command-line tool maintained by CyberArk. This is holistic secrets management solution lets developers get out of the secrets management game while allowing security teams to provide security as a service.

If you are a developer or already have a secrets management solution you might want to check out open source Summon first. Summon allows you to replace any secret or API call to a secrets vault in your code with a simple environment variable. Summon will securely inject secrets into the process at runtime without exposing or leaking the credentials. This is not only more secure, but it also abstracts the application code from the secrets management tool, making it easy to swap out secrets providers.

It’s easy to get started. Check out the CyberArk Conjur Open Source hosted tutorial for a tour of core secrets management concepts, such as storing and fetching secrets, machine authentication and authorization and security policy as code.

If you get stuck or have any feedback on our open source tools, I would love to hear from you on Slack or reach out to me on Twitter @WalshSec.

 

The post How to Address Vulnerabilities in Microsoft GitHub Repositories appeared first on CyberArk.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
Follow
982 Followers
About CyberArk
CyberArk is the only security company that proactively stops the most advanced cyber threats – those that exploit insider privileges to attack the heart of the enterprise. The company has pioneered a new category of targeted security solutions to lock down privileged accounts and protect against cyber threats before attacks can escalate and do irreparable business damage. CyberArk is trusted by the world’s leading companies – including more than 40 of the Fortune 100 – to protect their highest value information assets, infrastructure and applications, while ensuring tight regulatory compliance and audit requirements.
Promoted Content
7 COMMON PRACTICES THAT MAKE YOUR ENTERPRISE VULNERABLE TO A CYBER ATTACK
Advanced cyber attacks involve compromised privileged accounts. Cyber attackers target them because they represent the keys to the IT kingdom. Effective enterprise security includes proactively protecting privileged accounts. Industry experts have identified practices that increase an organization’s vulnerability to a cyber attack. How many of these are common at your organization?

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel