How Vulnerabilities Hidden in Source Code Lead to Major Breaches
The year 2021 can be regarded as the recording-breaking year for cyber-attacks. It was a busy year for cybersecurity professionals around the world. Almost 18,000 customers have been exposed to significant threat attacks, including large government agencies. In 2021, organizations witnessed a dramatic increase in these cyber-attacks. Major high-profile security incidents such as Codecov, Kaseya, and SolarWinds data breaches have shocked the world. Attackers manipulate the code in third-party software components to exploit the ‘downstream’ applications that utilize them in a software supply chain attack.
According to the Check Point Research report, data breaches increased 50 percent year over year, with each company exposed to 925 cyber-attacks per week globally. As per the stats, in 2021, the business experienced 50 percent more attacks per week than it did in 2020. Exposed secrets in source code will certainly pose a risk to you, your team, and your entire company. Any data that is sensitive to an enterprise or individual or something else that should not expose publicly. It might be anything like a credit card number, password, an access key, an API token, certificates, private keys, etc.
Modern applications are designed from thousands of components such as cloud infrastructure, independent microservices, databases, and much more. Furthermore, different authentication techniques and keys are utilized between application components to allow all parts to interact securely.
Useful link: All You Need to Know About Ransomware as a Service (RaaS)
For instance, a database password may be necessary for a microservice to query for critical data or may need an API key to connect with a third-party service. You can guess the thousands of secrets that a complex business application might include. However, all these passwords, keys, and tokens are secrets. To prevent a malevolent third party from compromising our sensitive data and secure connections, we must keep them private.
This post will explore what secrets are, what secure coding is, and how millions of secrets are pushed to GitHub.
What are secrets?
Secrets are nothing but digital authentication credentials like OAuth tokens, API keys, certificates, passwords, and encryption keys that uses in services, infrastructure, and applications. These keys are needed for one application service to authenticate another to enable interoperability. Without these secrets, it is hard enough to communicate from one service to another service without faith and trust.
In this modern software world, secrets are a necessity. The personal issue is that nefarious users can detect them if left in the program code. In 2019, almost half of all breaches were revealed to cause by the misuse of credentials frequently left inside code. And when these secret credentials are on GitHub or other cloud-based code repositories, they are vulnerable to unauthorized access.
This is common when threat actors (ethical or not) discover publicly available keys on GitHub. What is the reason for this? Because the keys are left in the code, which is later published to the public repositories.
Software engineering teams must link an increasing number of building blocks to keep delivering new features. As a result, the number of credentials in use across several teams (DevOps, SRE, development squad, security, etc.) is rapidly increasing. To make it easier to alter the code, developers sometimes retain keys in an unsecured area. However, this frequently leads to the information being forgotten and unwittingly disclosed.
Hardcoded secrets are a unique form of vulnerability in the application security landscape. First, because source code is a leaky asset that is constantly cloned, checked out, and forked on numerous machines frequently, secrets are also leaking. But, more importantly, don’t forget that code has a memory of its own.
Any codebase is controlled by a version control system (VCS), which keeps track of all the changes made to it throughout the years, sometimes over decades also. The concern is that still-valid secrets could be buried anywhere in this timeframe, giving the attack surface a new dimension. Unfortunately, most security studies are performed on a codebase’s current position and ready-to-deploy condition. In other words, these technologies are completely blind when it comes to credentials stored in an old commit or even a never-deployed branch.
Useful link: Top Security Techniques to Protect Internet of Things Infrastructure
What is secure coding?
Secure coding, often known as secure programming, encompasses writing rigorous code to guard against potential security flaws. Data breaches can potentially leak data or harm the system in other ways. However, on the other hand, securing code isn’t only about creating good code. Securing coding need to be created in a secure environment and on a secure platform. Of course, in the age of cloud computing, all services, including platforms and software must be properly configured to avoid security breaches.
How millions of secrets pushed to GitHub
The previous year, GitGuardian discovered more than 6 million exposed credentials by monitoring contributions published to GitHub in real-time, more than double digits from 2020. A secret was found in three out of every 1,000 commits, up 50% from the last year.
The significant share of those credentials was allowing access to corporate resources. So, it’s no surprise that a threat hero attempting to acquire access to a corporate system would look first at its public GitHub repositories, followed by those owned by its workers. Most developers run GitHub for personal projects, and organization credentials can leak accidentally. (Yes, it happens frequently!).
With authentic organization credentials, threat actors can act as authorized users, making it hard to identify abuse. Because it only takes 4 seconds for a credential to be compromised after being published to GitHub, it should be revoked and cycled right away to avoid being penetrated. Out of guilt or a lack of technical expertise, we can witness why people often choose the wrong direction to get out of this dilemma.
Another major mistake made by organizations is to accept the presence of secrets in non-public repositories. The State of Secrets Sprawl report from GitGuardian highlights that private repository have far more credentials than their public counterparts. The theory is that private repositories provide their owners a false sense of security, causing them to be less concerned about hidden secrets in the codebase.
That’s ignoring the risk that these long-forgotten credentials could one day be exploited by hackers, resulting in catastrophic consequences.
The problem is well-known among application security teams. However, the amount of work required to examine, revoke, and rotate the secrets committed each week or search through years of unexplored areas is vast.
Useful link: How small businesses can fend off cyber attacks
Conclusion
Secrets are an essential part of any software stack, and since they are so powerful, they must be well-protected. Unfortunately, it’s challenging to manage where they end up, whether source code, production logs, Docker images, or instant messaging apps, due to their distributed nature and modern software development processes.
Because even secrets can be exploited in an assault leading to a significant breach, a secret detection and remediation capability is necessary. Such instances occur every week, and as more services and infrastructure are employed in the company, the number of leaks is rapidly increasing. If you take earlier action, it will be easy to protect the source code against future attacks.
Once your secrets are exposed in public repositories, your company may find itself in a situation where a hacker has exploited those credentials to obtain access to your network or a third-party account connected to your company. In the worst-case scenario, that hacker could sell that information, giving access to your data to an unknown number of ne’er do wells.
Numerous attacks highlight the importance of partnering with a security firm like StealthLabs. Before embarking on the password-free direction, our security experts will assist you in addressing critical issues.
So, contact StealthLabs to strengthen your organization.
Additional Resources: