Less than a month ago, Twitter indirectly acknowledged that some of its source code had been leaked on the code-sharing platform GitHub by sending a copyright infringement notice to take down the incriminated repository. The latter is now inaccessible, but according to the media, it was accessible to the public for several months. A user going by the name FreeSpeechEnthousiast committed thousands of documents belonging to the social media platform over several months. While there is no concrete evidence to support this hypothesis, the timing of the leak and the ironic username used by the perpetrator suggest that the leak was a deliberate act aimed at causing harm to the company.
Although it is still too early to measure the impact of this leak on the health of Twitter, this incident should be an opportunity for all software vendors to ask a simple question: what if this happened to us? Protecting sensitive information in the software industry is becoming increasingly critical as the frequency and impact of data breaches and leaks continue to rise. With the growing reliance on software, the amount of sensitive information stored in digital form is constantly expanding.
About a year ago, the Lapsus$ hacking gang made headlines for publicly leaking the source code of some of the biggest names in technology. The group’s trophies included nearly 200GB of source code from Samsung, the source code for Nvidia’s DLSS technology, and 250 internal projects from Microsoft. Several other software companies have also been targeted, with their codebases falling into the wrong hands: LastPass, Dropbox, Okta, and Slack have all disclosed that some of their code was compromised.
A Treasure Trove of Sensitive Information
Source code contains a wealth of sensitive information, and that includes, most of the time, hard-coded secrets such as passwords, API keys, and certificates private keys. This information is often stored in plain text within the source code, making it an attractive target for attackers. There are many potential risks associated with leaked private source code, but exposed secrets are perhaps the most concerning: in the 2023 State of Secrets Sprawl, the single largest analysis of public GitHub activity, GitGuardian reported 10 million newly exposed secrets in 2022 alone, a staggering number that grew 67% year-over-year. The phenomenon is in great part explained by the fact that it is very easy when using version control like Git to mistakenly publish hard-coded secrets buried in the commit history. But malicious intentions can also be the cause of the disclosure of confidential information. When a source code leak happens, these secrets can be exposed, providing attackers with access to systems and data.
Secrets-in-code is a particularly significant problem. They allow an attacker to move fast to exploit a number of systems, making it more difficult for organizations to contain the damage. Unfortunately, internal source code is a very leaky asset. It is widely accessible by developers throughout the company, backed up onto different servers, and even stored on developers’ local machines. That’s one reason why making sure no secrets are exposed in the first place is so crucial. In addition to the risk of malicious activity, mistakes made by developers can also put companies at risk. For example, accidental leaks of code can occur due to the way GitHub has architected its enterprise/organization offering. This makes it cumbersome for organizations to prevent accidental leaks and, conversely, too easy for developers to make mistakes.
Exposed logic flaws are also a concern. There may be vulnerabilities in the way software applications handle functions and data that could be present in the source code. When source code is exposed, attackers can analyze it for these vulnerabilities and exploit them to gain unauthorized access. The same goes for application architecture. Often, organizations expect the architecture of their applications to be hidden, a concept called security by obscurity. When source code is exposed, it can lead attackers to a map of how applications work, giving them the opportunity to find hidden assets.
Time to Act: Protect Your Source Code
The problem is not new, and many in the security industry have been sounding the alarm for some time. However, recent initiatives by the Biden administration to strengthen the cyber resilience of infrastructures and SMEs have increased the focus on software vendors’ accountability. As cybersecurity becomes a national priority, there will be increased pressure to promote secure development practices and shape market forces to prioritize the protection of sensitive information.
So what can software vendors do to protect their source code and sensitive information? First and foremost, they must recognize the potential risks and take appropriate steps to mitigate them. This includes implementing security measures to protect against malicious activity and ensuring that hard-coded secrets are not stored in plain text within the source code. However, more than a single approach is needed to protect sensitive information in the software industry. Using a combination of secrets management solutions, secure coding practices, and automated secrets detection can provide a comprehensive security strategy. Secrets detection involves scanning source code and other digital assets for hard-coded secrets, alerting developers to potential vulnerabilities that attackers could exploit. With this proactive approach, organizations can better protect their sensitive information and identify potential security risks earlier in the software development lifecycle. Combining a secrets detection solution in conjunction with secrets management and secure coding practices provides a layered security approach that can help to mitigate the risks associated with leaked source code and other potential vulnerabilities.
In addition to these technical measures, it is also important to ensure that employees are trained and educated on cybersecurity best practices. This includes regular training and awareness programs to ensure that employees are aware of the risks and know how to protect sensitive information.
Overall, protecting source code and sensitive information is a critical issue for software vendors. As the frequency of malicious activity and accidental leaks continues to increase, it is essential that vendors take steps to mitigate the risks and protect their customers’ data. By implementing secure coding practices, using secrets management solutions, and providing employee training and awareness programs, vendors can help drive a continuous improvement of software development practices in the long run. It is important to note that protecting source code and sensitive information is not a one-time event. It is an ongoing process that requires constant attention and vigilance. Software vendors must continually monitor their systems for potential vulnerabilities and ensure that their security measures are up to date.
If you’re interested in improving your organization’s secrets management practices, we encourage you to take our secrets management questionnaire (anonymous) to assess your specific situation. It only takes five minutes to gain a quick overview of your organization’s strengths and weaknesses and get started on the path to better security. Ensure your sensitive information is protected, and your customers’ trust is maintained.
• Software vendors must recognize the potential risks and take appropriate steps to mitigate them, including implementing security measures and ensuring hard-coded secrets are not stored in plain text within the source code.
• Secrets detection involves scanning source code and other digital assets for hard-coded secrets, alerting developers to potential vulnerabilities that attackers could exploit.
• In addition to technical measures, employees must be trained and educated on cybersecurity best practices.
• Protecting source code and sensitive information is an ongoing process that requires constant attention and vigilance.
• Organizations should take our secrets management questionnaire (anonymous) to assess their specific situation and gain a quick overview of their organization’s strengths and weaknesses.