- CISO Series Newsletter
- Posts
- 10-22-20 - Oh My! Those Exposed Secrets Are an Embarrassment
10-22-20 - Oh My! Those Exposed Secrets Are an Embarrassment
Oh My! Those Exposed Secrets Are an Embarrassment
This week's episode of Defense in Depth
Leaked Secrets in Code Repositories
is hosted by me, David Spark, producer of CISO Series and Allan Alford. Our sponsored guest is Jérémy Thomas, CEO, GitGuardian. All three of us discussed:
Putting passwords and other credential information inside of code simply happens. It is done by developers for purposes of efficiency, laziness, or simply forgot to take it out.
Given that exposing secrets is done by developers, these secrets appear in code everywhere, most notably in public code repositories like GitHub.
Exposed credentials can appear in SIEMS as it's being exported from the developers' code.
There is a shared responsibility model and cloud providers do have some ability to scan code, but ultimately code you put in your programs is your responsibility.
Scanning public code repositories should be your first step. You don't want to be adding code that has known issues.
Next step is to scan your own code and get alerts if your developers are adding secrets (wittingly or unwittingly) in their code. If you alert in real-time, it fits naturally within the DevOps pipeline and they will improve their secure coding skills.
Another option to deal with exposed secrets is to sidestep the problem completely and put in additional layers of security, most notably multi-factor authentication (MFA). A great idea, and yes, you should definitely include this very secure step, but it doesn't eliminate the problem. There are far too many authentication layers (many automated) for you to put MFA on everything. There will always be many moments of exposure.
Special thanks to this week's podcast sponsor, GitGuardian.
empowers organizations to secure their secrets - such as API keys and other credentials - from being exposed in compromised places or leaked publicly. GitGuardian offers a threat intelligence solution focused on detecting secrets leaked on public GitHub and an automated secrets detection solution which tightly integrates with your DevOps pipeline.
Cyber Security Headlines
This week's sponsor of
Cyber Security Headlines
is SecureLayer7
TOMORROW! Friday [10-23-20] We're "Hacking Build vs. Buy Automation"
Please join us on Friday, October, 23rd, 2020 at 10 AM PT/1 PM ET for “Hacking Build vs. Buy Automation: An hour of critical thinking on the ongoing security decision.”I'll be leading this discussion with Scott Eigenhuis, head of security, Helix and Chas Ballew, CEO, Aptible.REGISTER
Plus, immediately after the video chat (11:00 AM PT/2:00 PM ET) we'll rollover to our meetup where you get a chance to connect with fellow cybersecurity professionals.
Thanks to our sponsor Aptible
Best Moments from "Hacking Privileged Identities Gone Bad"
Here's a six minute highlight reel of last week's CISO Series Video Chat: “Hacking Privileged Identities Gone Bad: An hour of critical thinking about accidental and malicious behavior from humans and machines causing havoc in the cloud”.Joining me in this discussion were Raj Mallempati, COO of CloudKnox and Dan Walsh, CISO, VillageMD.Check out the blog post to watch the video, read the "Best Bad Ideas" and the best quotes from the chat room, and to get access to the full one-hour recording.
Huge thanks to our sponsor, CloudKnox
Subscribe to all our podcasts
Click any of the podcasts below to get access to the subscription feeds. If you're already a subscriber, thank you!
