In July, more than 50 international companies suffered a source code leak due to software development misconfigurations in DevOps applications, Bleeping Computer writes. The businesses operated in various industries, including technology, financial services, retail, entertainment, and manufacturing, and may have also been used as third-party attack sources for their business partners. According to the researcher who detected the leak, some companies were more interested in how the code was obtained, rather than actually removing it from public repositories.
This was not the only incident involving technical leakage on a repository hub this year. Earlier in January, a researcher detected leaked source code, API keys, and credentials from a Canadian communications and media company. In a statement, the company claimed the code was outdated, therefore not posing a significant threat to itself or customers. Some may disagree, however, as the code could be used to detect vulnerabilities in products already running it.
At an increasing rate compared to the previous year, unsecured cloud storage and misconfiguration errors were among top causes for breaches across all industries in 2019, according to Verizon’s 2020 Data Breach Investigations Report. This finding is likely the result of companies doing a better job reporting them, believes a senior information security data scientist at Verizon Enterprise.
A 2019 academic report published by the North Carolina State University (NCSU) found that more than 100,000 repositories had leaked API and cryptographic keys. Additionally, it also found that “thousands of new keys are leaked daily and that the majority of leaked secrets remain available for weeks or longer.” The team found that “committing cryptographic key files and API keys embedded directly in code are the main causes of leakage” on GitHub.
What can you learn from these leaks?
Technical leakage can include blueprints, product information, and API and cryptographic keys, among others. It is usually accidental, because security practices are overlooked by staff operating in Git-based environments. In-house developers or contractors may work with different open-source tools and mistakenly publish code on external repositories, such as GitHub or GitLab, cloud-based platforms, or support forums such as Stack Overflow.
A popular platform for software engineering research, GitHub has been known for key and password leakage since 2013. Unfortunately, if technical secrets are leaked, companies may not know who, if anyone, has already accessed them.
As mentioned earlier, these leaks can happen to businesses large or small, and they are more common than expected. Rather than shaming anyone, it is more important how you react as a company. To reduce impact, these leaks must be identified as soon as possible, without compromising the software development process. Reality, however, confirms they can go undetected for a long time before identified.
Companies that have more manpower have developed their own tools to try and detect code leaks in real-time. The problem is cyber threat intelligence teams (CTI) might spend too much time on manual data collection and analysis, which leaves little time for actual remediation. The longer it takes to detect technical leakage, the greater impact it will have on business operations, customer trust, and brand reputation. Not to mention the negative media attention and even lawsuits, if your brand is more famous than others.
The major security challenge is that companies lack external visibility over the actual exposure of their digital slip-ups. If left undetected on publicly available platforms, these could jeopardize your intellectual property and lead to financial and credibility damage. Technical leakage could also give malicious actors an advantage, as they would gain access to secret information about your infrastructure and configuration. Internal security teams cannot always manage this by themselves, so they need a helping hand. Proactive defense mechanisms involve transparency and enhanced coverage of digital risks such as technical leakage.
