Security

Source Code Repositories and Mishandled Secrets

J.D. Morris
September 14, 2020
4 min read

As the DevOps revolution continues to sweep across the IT landscape, source code repositories have become a prominent resource for most organizations. They provide a centralized place to track, document and collaborate on changes to applications and are a critical component of modern continuous integration/continuous delivery (CI/CD) workflows. The automation of the technology stack necessary to support an application is a key facet of the DevOps model and the Infrastructure as Code (IaC) paradigm has extended the usefulness of DevOps and source code repositories to “traditional” operations and systems administration teams. As such, most source code repositories now contain not just application source code, but configuration files and scripts used with automation tools like Ansible, Puppet, CloudFormation, Terraform, etc. 

While the DevOps model and the increased usage of source code repositories have enormous benefits, they also introduce risks. The accidental exposure of secrets in public source code repositories (e.g., GitHub, BitBucket, etc.) is a well-publicized issue. Over the past six months, Protiviti’s Attack and Penetration testing team, while performing open-source intelligence (OSINT) gathering, has identified publicly available secrets for multiple clients, including a Fortune 100 organization. In one instance, valid credentials were exposed on GitHub for over two years. Despite increased awareness of this issue and the various tools and services available to monitor and prevent the public leaking of secrets, it continues to pose a significant risk. Secrets, in most cases, are not only passwords, API keys and other credential material, but also sensitive information about an organization’s applications, infrastructure and operations, which can be incredibly useful to threat actors. 

Significant attention should certainly be paid to publicly leaked secrets and information however, organizations should also be aware of the risks posed by internal source code repositories. During recent engagements, Protiviti’s Attack and Penetration testing team has leveraged secrets within internal source code repositories to compromise Active Directory, gain unauthorized access to credit card numbers and personally identifiable information (PII), and escalate privileges within cloud environments. There are two major factors contributing to this trend: 

1.       The assumption that the internal network is a trusted zone.

Organizations continue to use both an internal and external model when thinking about their technology environments and spend significant information security capital on securing a distinct and well-defined edge between those environments. While perimeter firewalls, proxies, etc. are certainly important, the edge has been blurry for well over a decade, particularly since organizations started heavily relying on virtual private networks (VPNs) to connect with remote workers, vendors, subsidiaries, etc. Now, with the widespread integration of public cloud services and a global pandemic driving a massive increase in the number of remote workers, the traditional edge simply no longer exists. It is dangerous for any organization to assume that an outsider or insider threat will not be able to operate on the internal network or gain access to an unsecured internal resource.

2. Organizations are integrating DevOps but not DevSecOps.

Despite all of the DevOps benefits, it does not address fundamental security issues that plague software development. Beyond insecure coding practices, developers continue to deviate from best practice when handling secrets, by documenting them insecurely or directly including them in application source code, which then gets pushed to source code repositories. The Infrastructure as Code (IaC) paradigm means that network engineers and system administrators must also be cognizant of secrets within scripts and configuration files used with automation tools, as these files typically end up in repositories alongside application source code. Even if divulged secrets are only for development systems or environments, this can still pose a significant risk to the organization. For example, insecure Jenkins installations and other development systems are routinely exploited by Protiviti during penetration testing engagements, often as the first step in achieving highly privileged access to an organization’s internal environment. More often than not, development systems do not receive the same amount of scrutiny as their production counterparts. In a real-world attack, a compromised development environment or CI/CD pipeline could allow a threat actor to install backdoors or perform other malicious modifications that end up in a production application or environment. 

Both of these factors relate to the long-standing idea that effective information security is fundamentally about culture, as opposed to just technical operations and processes. While culture cannot be addressed overnight, in the short term, organizations should pay attention to both public and private source code repositories to ensure they do not contain unsecured information which could be leveraged by threat actors. Protiviti’s Attack and Penetration testing team can assist with identifying such secrets and demonstrating the risk of their exposure. 

To learn more about Protiviti’s Attack and Penetration capabilities, contact us 

J.D. Morris

Senior Consultant
Technology Consulting - Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
18 Apr

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. https://ow.ly/OMaL50RfsHw #ProtivitiTech

Reply on Twitter 1781035159438954997 Retweet on Twitter 1781035159438954997 Like on Twitter 1781035159438954997 Twitter 1781035159438954997
protivititech Protiviti Technology @protivititech ·
17 Apr

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible. https://ow.ly/qa6p50Rh9wf

Reply on Twitter 1780627914964308382 Retweet on Twitter 1780627914964308382 Like on Twitter 1780627914964308382 Twitter 1780627914964308382
protivititech Protiviti Technology @protivititech ·
16 Apr

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. https://ow.ly/fMK550Rfsoi #ProtivitiTech

Reply on Twitter 1780204913663873376 Retweet on Twitter 1780204913663873376 Like on Twitter 1780204913663873376 Twitter 1780204913663873376
protivititech Protiviti Technology @protivititech ·
15 Apr

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! https://ow.ly/hzrG50R4fTX #ProtivitiTech #DataPrivacy

Reply on Twitter 1779872392535212145 Retweet on Twitter 1779872392535212145 2 Like on Twitter 1779872392535212145 1 Twitter 1779872392535212145
protivititech Protiviti Technology @protivititech ·
12 Apr

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. https://ow.ly/q3w550RfbXm #ProtivitiTech #TechnologyInsights

Reply on Twitter 1778890996282982442 Retweet on Twitter 1778890996282982442 Like on Twitter 1778890996282982442 Twitter 1778890996282982442
Load More