Submission + - Add GitHub dorking to list of enterprise security concerns (itworld.com)
chicksdaddy writes: IT World has a story today suggesting that GitHub may be a victim of its own success. Exhibit 1: "GitHub dorking:" the use of GitHub's powerful internal search engine to uncover security holes and sensitive data in published code repositories. (http://www.itworld.com/article/2921135/security/add-github-dorking-to-list-of-security-concerns.html)
In a nutshell: GitHub's runaway popularity among developers is putting employers and development shops in a tough spot. As the recent story about Uber accidentally publishing database administrator credentials in a public GitHub repository suggests, (http://arstechnica.com/security/2015/03/in-major-goof-uber-stored-sensitive-database-key-on-public-github-page/), it can be difficult even for sophisticated development organizations to grasp the nuances of how interactions with GitHub's public code repositories might work to undermine corporate security.
The ease with which developers can share and re-use code on GitHub is part of the problem, said Bill Ledingham, chief technology officer at Black Duck Software, which monitors some 300,000 open source software projects that use GitHub. Ledingham said leaked user credentials are inadvertent errors caused by developers too accustomed to the ease with which code can be borrowed, modified and resubmitted to GitHub.
"Developers in some cases are just taking the easiest path forward," he said. "They're checking in code or re-using it and not looking at some of these issues related to security."
Among the issues to watch out for are information leaks by way of vulnerabilities in GitHub.com or the GitHub API, leaks of intellectual property in published repositories and the leak of credentials and other shared secrets that could be used to compromise production applications.
Tools like the GitRob command line application developed by Michael Henriksen (http://michenriksen.com/blog/gitrob-putting-the-open-source-in-osint/) make it a simple matter to analyze all the public GitHub repositories associated with a particular organization. GitRob works by compiling the public repositories belonging to known employees of that firm, then flagging filenames in each repository that match patterns of known sensitive files.
Companies that are doing software development need to take an active interest in GitHub, determining which employees and contractors are using it and verifying that no proprietary code or sensitive information is leaking into the public domain.
Internally, data leak prevention products can identify and block the movement of proprietary code. Concerted education for developers about best practices and proper security hygiene when downloading and uploading code to shared and searchable source repositories can help prevent head slapping mistakes like the leak of database administrator credentials and private keys.
In a nutshell: GitHub's runaway popularity among developers is putting employers and development shops in a tough spot. As the recent story about Uber accidentally publishing database administrator credentials in a public GitHub repository suggests, (http://arstechnica.com/security/2015/03/in-major-goof-uber-stored-sensitive-database-key-on-public-github-page/), it can be difficult even for sophisticated development organizations to grasp the nuances of how interactions with GitHub's public code repositories might work to undermine corporate security.
The ease with which developers can share and re-use code on GitHub is part of the problem, said Bill Ledingham, chief technology officer at Black Duck Software, which monitors some 300,000 open source software projects that use GitHub. Ledingham said leaked user credentials are inadvertent errors caused by developers too accustomed to the ease with which code can be borrowed, modified and resubmitted to GitHub.
"Developers in some cases are just taking the easiest path forward," he said. "They're checking in code or re-using it and not looking at some of these issues related to security."
Among the issues to watch out for are information leaks by way of vulnerabilities in GitHub.com or the GitHub API, leaks of intellectual property in published repositories and the leak of credentials and other shared secrets that could be used to compromise production applications.
Tools like the GitRob command line application developed by Michael Henriksen (http://michenriksen.com/blog/gitrob-putting-the-open-source-in-osint/) make it a simple matter to analyze all the public GitHub repositories associated with a particular organization. GitRob works by compiling the public repositories belonging to known employees of that firm, then flagging filenames in each repository that match patterns of known sensitive files.
Companies that are doing software development need to take an active interest in GitHub, determining which employees and contractors are using it and verifying that no proprietary code or sensitive information is leaking into the public domain.
Internally, data leak prevention products can identify and block the movement of proprietary code. Concerted education for developers about best practices and proper security hygiene when downloading and uploading code to shared and searchable source repositories can help prevent head slapping mistakes like the leak of database administrator credentials and private keys.
