Sign up to save your podcasts
Or
Share Leaked Secrets in Code Repositories
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Leaked Secrets in Code Repositories
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-leaked-secrets-in-code-repositories/)
Secrets, such as passwords and credentials, are out in the open just sitting there in code repositories. Why do these secrets even exist in public? What's their danger? And how can they be found and removed?
Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Jérémy Thomas, CEO, GitGuardian.
Thanks to this week's podcast sponsor GitGuardian.
GitGuardian empowers organizations to secure their secrets - such as API keys and other credentials - from being exposed in compromised places or leaked publicly. GitGuardian offers a threat intelligence solution focused on detecting secrets leaked on public GitHub and an automated secrets detection solution which tightly integrates with your DevOps pipeline.
On this episode of Defense in Depth, you'll learn:
- Putting passwords and other credential information inside of code simply happens. It is done by developers for purposes of efficiency, laziness, or simply forgot to take it out.
- Given that exposing secrets is done by developers, these secrets appear in code everywhere, most notably in public code repositories like GitHub.
- Exposed credentials can appear in SIEMS as it's being exported from the developers' code.
- There is a shared responsibility model and cloud providers do have some ability to scan code, but ultimately code you put in your programs is your responsibility.
- Scanning public code repositories should be your first step. You don't want to be adding code that has known issues.
- Next step is to scan your own code and get alerts if your developers are adding secrets (wittingly or unwittingly) in their code. If you alert in real-time, it fits naturally within the DevOps pipeline and they will improve their secure coding skills.
- Another option to deal with exposed secrets is to sidestep the problem completely and put in additional layers of security, most notably multi-factor authentication (MFA). A great idea, and yes, you should definitely include this very secure step, but it doesn't eliminate the problem. There are far too many authentication layers (many automated) for you to put MFA on everything. There will always be many moments of exposure.
View all episodes
By David Spark, Steve Zalewski, Geoff Belknap
4.8
7373 ratings
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-leaked-secrets-in-code-repositories/)
Secrets, such as passwords and credentials, are out in the open just sitting there in code repositories. Why do these secrets even exist in public? What's their danger? And how can they be found and removed?
Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Jérémy Thomas, CEO, GitGuardian.
Thanks to this week's podcast sponsor GitGuardian.
GitGuardian empowers organizations to secure their secrets - such as API keys and other credentials - from being exposed in compromised places or leaked publicly. GitGuardian offers a threat intelligence solution focused on detecting secrets leaked on public GitHub and an automated secrets detection solution which tightly integrates with your DevOps pipeline.
On this episode of Defense in Depth, you'll learn:
- Putting passwords and other credential information inside of code simply happens. It is done by developers for purposes of efficiency, laziness, or simply forgot to take it out.
- Given that exposing secrets is done by developers, these secrets appear in code everywhere, most notably in public code repositories like GitHub.
- Exposed credentials can appear in SIEMS as it's being exported from the developers' code.
- There is a shared responsibility model and cloud providers do have some ability to scan code, but ultimately code you put in your programs is your responsibility.
- Scanning public code repositories should be your first step. You don't want to be adding code that has known issues.
- Next step is to scan your own code and get alerts if your developers are adding secrets (wittingly or unwittingly) in their code. If you alert in real-time, it fits naturally within the DevOps pipeline and they will improve their secure coding skills.
- Another option to deal with exposed secrets is to sidestep the problem completely and put in additional layers of security, most notably multi-factor authentication (MFA). A great idea, and yes, you should definitely include this very secure step, but it doesn't eliminate the problem. There are far too many authentication layers (many automated) for you to put MFA on everything. There will always be many moments of exposure.
More shows like Defense in Depth
View all
Hacked
187 Listeners
Security Now (Audio)
2,008 Listeners
Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec
372 Listeners
Risky Business
371 Listeners
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
651 Listeners
CyberWire Daily
1,021 Listeners
Smashing Security
319 Listeners
Click Here
416 Listeners
Darknet Diaries
8,062 Listeners
Cybersecurity Today
179 Listeners
Hacking Humans
315 Listeners
CISO Series Podcast
188 Listeners
Cyber Security Headlines
139 Listeners
Risky Bulletin
44 Listeners
Hacker And The Fed
168 Listeners