Toyota disclosed a data leak caused by exposed access keys on GitHub. The lessons learned are that basic controls that provide high value for low effort were not implemented. This blog post will share quick wins toward the goal of securing your development ecosystem.
Many commercial and open-source products provide secret scanning capabilities. Each product has pros and cons, which I am not going to discuss in this blog post. But the quickest win would be either using a free unlimited secrets scanner (shameless promotion for Arnica) or run an open-source tool that iterates through all repositories and identifies hardcoded secrets. For example, you can install the free version of Semgrep and iterate through all repositories to find secrets and many other vulnerabilities, at least for the first iteration.
Here are the steps to get there:
Setup a webhook to receive notifications when a repository’s visibility changes and notify the relevant stakeholders in their relevant channel. In this example, the webhook is automatically set within 5 minutes through Tines. Here are the steps:
Code reviews are vital for code quality and security. GitHub enables this capability via the CODEOWNERS file. However, it is easy to misconfigure the file since it requires both the configuration of the file and the enforcement of the branch protection policy to require a review from the CODEOWNERS. Here is an example script that can help you to determine if any of the CODEOWNERS files and policies are misconfigured.
Caveat: the assumption of this script is that CODEOWNERS is configured in the default branch. At Arnica, we developed a more comprehensive classification mechanism to determine which branches are important to protect.
Would this solution prevent the secret from appearing in git history? No, but it will enforce another set of eyes on code changes to help identify secrets and other risky code changes prior to pushing them to a production environment.
The actions listed above will provide quick value, but as illustrated by Toyota’s recent leak, properly securing your development ecosystem requires a comprehensive analysis of developer permissions, identification of abnormal and risky developer behavior, and regular scans for hardcoded secrets.