[cs615asa] Black Team - Week 9
Robert Herley IV
rherley at stevens.edu
Mon Apr 1 14:28:28 EDT 2019
Often when system administrators are developing scripts and other tools for
automation, it may be necessary to include secrets in these tools such as
AWS keys, authentication information and other private API keys.
Unfortunately, this often leads to keys getting leaked in public git
repositories. For instance, NCSU academics scanned GitHub accounts, for
about six months looking for API tokens and cryptographic keys. They
discovered over 100,000 repos have leaked such keys accidentally. This
introduces a huge security hole in an infrastructure, which can affect the
correctness and quality of an application. This week, the Black Team
conducted research in order to mitigate this problem.
AWS Labs has developed a tool called `git-secrets`, which scans commits,
commit messages and merges to prevent adding secrets into git repositories.
Also, this application can be configured as a githook, which will prevent
code from even being pushed if it contains private keys, therefore
preventing the mistreatment of keys by developers.
References:
https://github.com/awslabs/git-secrets
https://www.zdnet.com/article/over-100000-github-repos-have-leaked-api-or-cryptographic-keys/?hss_channel=lcp-3238521
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.stevens.edu/pipermail/cs615asa/attachments/20190401/31127df2/attachment.html>
More information about the cs615asa
mailing list