Data Vulnerability in Unexpected Places: Part 5
This is the last of a 5-part series exploring where hackers find entry points into data and details. After rounding up the (un)usual suspects, we are moving to our final spot that hackers hit hard, Public Code repositories.
Whilst we were busy doubling down on our phishing policies and blaming the ‘weakest link’ our employees, for not filling in all the necessary gaps, we have been overlooking the system itself and how the developers use them.
What is a Public Code Repository?
Heard of Github? Bitbucket? Well, if you have or haven’t, your developer has – because without it creating code or basically doing anything would be as slow, arduous and dark as pre-internet times.
A repository is essentially a central point where developers get to create and change their projects. Githubs’ forerunners, like CVS and Subversion, boasted a central “repository” of all files associated with a singular project.
This means that when developers work on projects, changes are made in a central place. Github and Bitbucket have now changed all that and when developers make changes, you can effectively copy the project to your system, something called distributed version control, where you simply insert the changes into the central server. In Github specifically, and don’t laugh, this process is called ‘forking’.
The copying of a repository (forking or otherwise) allows you to take a project that you don’t have access to and modify it in your own account. If developers you do make changes that you want to share you can send a ‘pull request’ to the owner. As you don’t have to connect to the central server every time you make a change which would expose you to cybersecurity risk, its somewhat safer.
Forking is crucial
The DevOPs team need a source code repository host, like Github, for open source projects and there are many, Github and Bitbucket are just the most famous. Having an agile public code repository is great for the business bottom line, yet less great for organizational cybersecurity.
Can you have safer Forking?
Whilst this shared open-source info is fantastic for developers, the source code is available to everyone, making it a cyber security hazard.
One of the more recent examples comes from Scotiabank that unfortunately stored private data in
publicly GitHub repositories, leaving its internal source code, login credentials, and confidential access keys available to hackers. This situation gets worse when companies use third-party software developers, especially if they penny-pinch on security.
Some companies manage control over software code quality and security through automated scanning yet little to none are able to monitor how the software source code is stored in development or afterward. With more pressure being put on developers, the proper settings for securing a new repository are a field day for hackers.
The first steps in preventing these types of vulnerabilities are by implementing a policy addressing code storage and access management, enforce it within your company and for third-parties equally.