Secrets Leaks in GitHub Jump 67%
ReversingLabs
ReversingLabs is the trusted name in file and software security. RL - Trust Delivered.
Welcome to the latest edition of Chainmail: Software Supply Chain Security News. Each week, Chainmail brings you the latest software supply chain security headlines from around the world, curated by the team at ReversingLabs .
This week: secrets leaks via open source code repositories jumped 67% in 2022, a new report from GitGuardian warns. And: Toyota web app spills sensitive data (again).
This Week’s Top Story
Report: Secrets Leaks In Code Jump 67%
Secrets sprawl is getting worse. Much worse. A new report from the firm GitGuardian found that instances of credentials and other sensitive information being ‘hard coded’ in public, open source code repositories jumped by 67% in 2022, posing a major risk to organizations across industries.
GitGuardian’s State of Secrets Sprawl 2023 report found that around 10% of developers using the GitHub open source repository in 2022 - 1.35 million of 13.3 million distinct authors - inadvertently exposed a secret.
Out of every 1,000 commits to GitHub, 5.5 exposed at least one secret. While that might not sound like a big deal, with more than 1 billion GitHub commits in the last year, even that small percentage adds up to a lot of spilled secrets. In all, GitGuardian said it detected 10 million new secrets in all in public GitHub commits in 2022, 3 million of them unique. Around 3.7% of the GitHub repositories that were active during 2022 leaked a secret - or 2.27 million repositories in all.
Google API- and RSA Private Keys were the largest, distinct groups of leaked secrets, accounting for 9.7% and 6.4% of the total, respectively. Google Cloud Keys (4.7%) and AWS keys (3%) were also among the specific secret detectors most often triggered at GitGuardian. However, generic secrets detectors tuned to look for things like a company email and password hard-coded in a file accounted for the majority (67%) of detections, GitGuardian said.
Leaked secrets played a role in high profile attacks including Uber and CircleCI . They were also exposed inadvertently or following a security compromise in a number of other incidents involving high-profile firms including Samsung Electronics , Toyota Motor Corporation and Microsoft .
News Roundup
Here are the stories we’re paying attention to…
Just weeks after laying bare security flaws in a global supply chain management application used by Toyota, a security researcher exposed a similar breach in the company’s CRM (customer relationship management) application, and said he was able to obtain Toyota Motor Corporation customer data as a result. The security researcher Eaton Zveare on Monday disclosed that he broke into Toyota’s C360 CRM, a web application the automaker uses to manage customers in Mexico. As he had done with the company’s Global Supplier Preparation Information Management System (or “GSPIMS”), Zveare bypassed the corporate login screen by modifying the underlying application code and then accessed production data by modifying the application to use the production API instead of the development API. As it turned out, the production API that returned customer information was exposed via loading spinner settings and had no authentication. The customer data accessed included name, address, phone number, email address, tax ID, and vehicle/service/ownership history for an unknown number of Toyota customers residing in Mexico. (Eaton-Works.com)
More than a year after its discovery, the Log4Shell vulnerability in the open source Log4J library is the source of hundreds of thousands of attacks a day, but many organizations have yet to implement a patch for the vulnerability on their internal systems, Peter Klimek writes at The New Stack. So, while the worst predictions about CVE-2021-44228 didn’t come true, Log4J showed that “every organization has a software supply chain that can be rendered vulnerable.” ( The New Stack )
Recommended by LinkedIn
Leading open source repository GitHub will start requiring active developers to enable two-factor authentication (2FA) on their accounts beginning next week, on March 13, the company said. The gradual rollout of two factor authentication will begin next week. Once expanded to the company's entire user base, the 2FA enrollment requirement will help secure the accounts of more than 100 million users. ( BleepingComputer )
German automaker BMW Group became the latest to find itself on the wrong end of cybersecurity researchers. According to Cybernews, its own researchers stumbled on unprotected environment (.env) and .git configuration files hosted on the official BMW Italy website. Environment files (.env), meant to be stored locally, included data on production and development environments.
The Cybernews researchers said that while this information is not enough for threat actors to compromise the website, they could be used for reconnaissance, lead to a website compromise or point attackers towards customer information. ( Cybernews )
Cybersecurity firm Palo Alto Networks published its 2023 State of Cloud-Native Security Report this week.The global survey of more than 2,500 C-level executives is focused on understanding enterprise cloud and cloud-native adoption. The report finds that organizations have increased cloud use by more than 25% from the year prior. And while adopters cited risk mitigation as a driver for cloud adoption, the survey also revealed that cloud adoption also brings risks with it. In the survey, 90% of organizations said they could not detect, contain, and resolve cyber threats within an hour while 32% percent of respondents reported that a lack of visibility into vulnerabilities across cloud resources led to a security incident. ( Forbes )
Dynamic Application Security Testing (DAST) was revolutionary technology a decade ago. But these days, it may have outlived its usefulness, Sandesh Mysore Anand writes over at the Boring Appsec newsletter. “What were once advantages for DAST tools, are now liabilities,” Anand writes. “This is not because DAST tools have degraded over time, but because the way we built software has changed.”
Specifically, he calls out the migration to continuous integration continuous delivery (CI/CD) methodologies, where the time required for #dast scanning can “dramatically (reduce) the pace of development.” Also, the embrace of Microservices diminishes DAST’s value proposition. “If your software is built using Microservices, it’s hard to find anything outside of low-hanging fruit (e.g.: missing headers) with high confidence using DAST.” Read the rest of his analysis over at the Boring AppSec substack. (Boring AppSec)
Resource Roundup
Secrets hardcoded or exposed in software release packages or containers (whether by accident or intentionally) is a challenge all development teams face – and a boon for cybercriminals with automated means to find them to gain access for supply chain attacks. Learn which secure software development best practices to put in place today to stop attacks from happening tomorrow. Register now.
Join the experts at ReversingLabs, the leading provider of threat intelligence and software supply chain security, as they cover the details of the CircleCI hack, the lessons we are learning from the attack chain, and what organizations of all sizes can do to address this growing attack surface. Watch it now.
Bringing back to the basics. AppSec expert Matt Rose defines what secrets are, such as API keys, database passwords, encryption keys, and more.
Co-founder, Seezo.io. Helping companies scale security design reviews.
1yThanks for featuring Boring AppSec. I enjoy reading your newsletter!