![]() ![]() Edward Ziots - Aquanima “There is no one solution to solve this problem” If (or when) secrets are leaked in GitHub, what protection layers can be implemented?Īllan Alford - Generally speaking, with a lot of environments, if your API key or credential is exposed, that's it, an attacker has access to that system. Technology must be used to automate what can be automated. Training is part of the answer and technology is part of the answer. So we must assume that mistakes will happen, the question then becomes how do we deal with these. Personal public GitHub accounts are a place where companies have no authority to enforce any kind of preventive security measures. First and foremost, most leaks concerning corporate credentials, actually happen on personal GitHub accounts. Jeremy Thomas - At GitGuardian, we observe many counterintuitive facts about leaked secrets. Roland Gharfine - Security Consultant “your process needs to protect your employees from their own mistakes by design”Ģ023 Update: check out the amazing SecurityZine about secrets in git repositories to get a better grasp of why it's such a problem: Hardcoding credentials can be a temporary solution that ends up becoming permanent, sometimes, developers don’t realize the repo is public, sometimes the developers are new, and sometimes it’s a test that was forgotten about…. ![]() The reality of course, is that there are a million and one reasons credentials get leaked. While it was agreed that it wasn’t necessarily great that we call it laziness or provoked, the quote certainly highlights the human aspect of our topic.Īllan Alford - The vast majority of leaked credentials are mistakes and do not come from malicious intent. ![]() Automation around preventative and protective measures is key but so too is training. It is not just about technology, there is also a human component. This quote taken from David really captures a lot of what formed the discussion around secrets inside git repositories. Why do secrets and credentials leak inside git? David Dos Neves - Munich Re “Human error is nothing you can avoid and prevent, especially if it is not an error but just laziness, or even provoked, implement a risk based approach and simply add many layers to prevent it in your whole lifecycle”. This discussion focuses on the threat of secret sprawl inside git at two levels: first corporate secrets leaked inside public repositories (both personal and professional public git repos), and second, secrets inside private repositories and the threat that it creates. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |