are code repositories a source of risk?
are code repositories a source of risk?

Are Code Repositories a Source of Risk?

This infographic presents the risks your company faces when using code repositories.Passwords and API key leaks lead to loss of data integrity, financial losses, and the risk that even more confidential information subsequently leaks. Learn more on how to mitigate these sources of risks below.

Are Code Repositories a Source of Risk?

Learn more about our solution

Are code repositories a source of risk?

As a matter of fact, yes. Academics scanned Github to identify programmers who had published their passwords or API keys publicly, proving code repositories can be a major threat to your organization.

To do so, they analyzed over 2 billion files from 3 million code repositories between November 2017 and April 2018 (6 months).

They found 200,000 passwords or API keys. 42% were Google API keys, 24% were Google OAUTH ID and 18% were RSA Private keys.

There are 3 types of risks that result from these leaks, all of which can be harmful to your company:

  1. Monetary losses
  2. Leak of confidential information
  3. Loss of data integrity

How long does it take to mitigate this risk?

Many companies do not realize that their passwords or API keys have leaked online for months. The researchers demonstrated that:
  • 6% of all passwords and API keys are removed with an hour.
  • 12% of all passwords and API keys are removed within a day (includes previous).
  • 19% of all passwords and API keys are removed after 16 days (includes previous).
  • 81% were never removed after 6 months.

Repository leaks: a case study

On October 17, 2019, a researcher found that a software developer for a large coffee chain had published the private keys that allowed malicious actors to connect to the user management service of the company. Using this information, malicious actors could have manipulated who would access to systems and information across all of the companies’ infrastructure. The information was published on Github and remained online for at least 4 days before the keys were revoked, potentially exposing corporate servers and the data at the 21,000 stores of the chain.


Flare System's solution for repository leaks

Flare Systems protects your organization against leaked passwords and APIs on code repositories.

Specifically, our Firework product works to:

  • Monitor in real-time all of the code published on code repositories.
  • Use detection algorithms for known passwords and API keys patterns as well as customer-specified queries to identify leaks.
  • Alert the customer in real-time by email of any leak so they can change the password, revoke the API keys.
  • Enable companies to detect and mitigate risk less than an hour after a leak.

Interested in learning more about Firework?

Comments are closed.