Posted on

Millions of .Git Folders Were Exposed Publicly by Mistake

2022 has been the year of source code leaks; Microsoft, Nvidia, Samsung, Rockstar, and many more companies have had their source code involuntarily open-sourced. But some new research by Cybernews has revealed that there are millions of private git repositories that are, in fact, not all that private. In this article, we will take a look at the research on exposed git repositories, review why this can be such a problem, and suggest what you can do differently.

Nearly 2 Million Exposed Git Repositories

Git is a technology that nearly all software developers use to collaborate and version control their software. You will likely be familiar with git repository hosts like GitHub, BitBucket, or GitLab, which all offer turnkey solutions to sign up and start pushing code to your own repositories and collaborating with others. Git can be a tricky technology and prone to user errors that can result in sensitive information being exposed. For example, when you create a new git repository on your machine, a .git folder is created. This folder contains all the information and meta-data about your project since it was created. If you made an edit from 2012 to your application, 10 years later, that edit is still hidden in that .git folder. If you commit an API key on a development branch 3 years ago, it's still inside this .git folder. Basically, unless you are certain you and no one on your team have ever committed anything remotely sensitive, which will be godly if true, this is likely a very sensitive folder.

Posted on

FaaS: Security Considerations to Know Before Going Serverless

Serverless architecture is becoming a compelling choice for developers and companies to host their applications. It is easy to see why with its ability to dynamically scale to meet load requirements as well as removing a lot of the complexity with deploying and maintaining applications, sometimes even removing the need for an Ops team. But what are the security considerations we should consider before choosing to go serverless?

What is Serverless Architecture?

Serverless architecture (also known as serverless computing or function as a service, FaaS) is a software architecture where applications are hosted by a third-party service. This essentially means that your application is broken into individual services, which negates the need for server software and hardware management by the developers.

Posted on

Detecting Credentials In Source Code: Solutions Guide

In modern software development, we rely on hundreds, sometimes thousands of different building blocks. The glue that connects all the different building blocks are collectively known as secrets. These are typically API keys, credentials, security certificates, and URIs. These are the modern-day master keys. They can provide access to cloud infrastructure, payment systems, internal messaging, and user information to name a few. Once an attacker has a secret, they can move laterally between systems to uncover additional information and secrets, and because they are authenticated, they look and appear like valid users, making it extremely difficult to detect.

But even having established how sensitive these secrets are and why they should be tightly wrapped, this next statement may surprise you:

Posted on

Understanding Why Secrets Like API Keys Inside Git Are Such a Problem

Table of Contents

  • Why Secrets End up In Git
  • Why Secrets in Git Are Dangerous
  • Real-World Examples: Recent Data Breaches
  • Detecting Secrets in Reviews (or Not)
  • Using Automated Secrets Detection in Git
  • Wrap Up

Why Secrets End up In Git

A seasoned developer may be scratching their heads wondering why anyone may put secrets inside a git repository. But the fact is, secrets inside git repositories is the current state of the world.

Posted on

8 Steps to Keep Remote Development Teams Secure

There is no doubt that the world's workforce is becoming more remote, particularly in tech as developers can now work from any location in the world. But there are a large number of new obstacles that come with this. The most pressing is security.

Take the current COVID-19 health crisis. From one day to the next, countries are going into quarantine and forcing companies and developers into working remotely. I for one am writing this from my home office in Paris, sipping filter coffee while looking onto the empty streets in a complete lock-down that started last week (April 2020).