Sourecode Leaks Often Go Undetected
If your organization develops or works with custom software applications, you may be at risk of secrets or source code accidentally committed and therefore leaked onto one or more of the 29 Million GitHub repositories. Modern development teams are often hybrid, working with both full-time in-house employees and large numbers of outside contractors. While this has the benefit of dramatically increasing productivity and allowing organizations to fill talent gaps with part-time hires, it can also open companies up to the significant risk of technical data leaks.
In one study by the University of North Carolina, more than 200,000 passwords and API keys were published on Github, with more than 80% staying available for the entire 6 month period of the study. These types of data leaks can quickly be picked up by malicious actors and used to compromise organizations or to simply sell on the dark web.
Prevent hackers from accessing your information
Monitoring different development applications for source code, passwords, API keys, and other types of technical leakage can be extremely challenging. It can be difficult to prioritize data leaks and lack of visibility can create a situation where each potential leak must be treated as a potential data breach.
In addition, malicious actors often scan GitHub environments for secrets, API keys, and other valuable information. If a malicious actor catches a leak first, they have the opportunity to sell the ill-gotten information on the dark web or use it to compromise your organization.
Organizations that do not rely heavily on customer source code still have cause for concern. There are numerous instances where employees are also directly contributing to open source projects while using organizational assets. Oftentimes when commits are made from these assets, sensitive metadata is included in config, build, and log files. Internal usernames, asset names, IP addresses, domain names are often detected in these inadvertent data leaks.
Source Code & GitHub Monitoring for your Organization
Firework can automatically scan GitHub and detect if source code, secrets, API keys, or other sensitive information is accidentally leaked. This can dramatically simplify the process of detecting and remediating technical data leakage without the need to run periodic manual scans.
Firework provides capabilities that are much more powerful than the basic search available on the GitHub website or through their API. First, we monitor for any commit made by an email address matching a domain or person identifier through GitHub’s live feed. Second, we detect secrets that are leaked on GitHub and, when it occurs, we look everywhere in that specific repository for mentions of a domain or keyword identifier. In both cases, if we find both a secret and a relation to an organization, an alert is sent out.
This combination provides stronger coverage for code leaks, and we intend on keeping improving these capabilities in the next few months.
Many organizations focus their efforts around protecting sensitive data and meeting compliance requirements. However, a source code leak can just as easily compromise an organization. Flare seamlessly enables you to easily monitor online code repositories for accidentally leaked information.
Proactively Prevent Code Leaks
Quickly Identify Source Code Leaks
Firework enables you to seamlessly monitor GitHub and identify source code and other technical data leakages.
Reduce mean time to remediation and stay on top of GitHub Environments.
Work with Confidence
Firework’s continuous monitoring enables your development team to work with confidence that sensitive data is being correctly handled.