Mackenzie Jackson - Exposed Credentials - How Attackers Find & Exploit Secrets in Source Code
This presentation was held at #Hacktivity2023 IT security conference on 5th October 2023.
Secrets like API keys, security certificates and other credentials are the crown jewels of organizations and provide access to the inner workings of your systems. But these secrets are sprawling through the internet at an alarming rate. A research project conducted throughout 2022 by GitGuardian uncovered 10 million leaked secrets publicly on GitHub.com and also uncovered that nearly 5% of all docker images contain at least one plain text credential. This problem only gets more severe when reviewing how many credentials can be found in private source code which is now a primary (and easy) target for attackers. This presentation breaks down the anatomy of recent breaches to explain how attackers find and exploit this massive problem to break into organizations and how we can prevent it. GitHub is the largest platform for open-source code, more than 80 million developers are active on the platform and tens of millions of public repositories are created every single year. But public code distribution on this scale brings with it a serious security threat, the unwanted exposure of API keys, credentials, and other secrets, a problem known as Secrets Sprawl. These secrets are the crown jewels of our applications and if leaked can grant attackers access to our application’s core infrastructure and data. This includes access to databases, cloud infrastructure and third-party services. The scale of the problem is exposed clearly in the yearly report released by GitGuardian titled “The State of Secrets Sprawl”. The report uncovered over millions secrets exposed in PUBLIC git repositories on GitHub. This presentation is going to present the 2023 State Of Secrets Sprawl report. This new report shows that the total number of secrets being leaked publicly has increased since 2021 and goes into detail about the types of secrets being leaked and core contributing factors for leaked secrets. The presentation will also explore: Recent high profile security breaches and how attackers found and exploited secrets What happens when you leak secrets publicly (We leak a secret live and watch bots try and exploit it) How developers can securely store and share their secrets What to do if you do accidentally leak secrets.
#HACKTIVITY is the biggest event of its kind in Central & Eastern Europe. About 1000 visitors are coming from all around the globe every year to learn more about the latest trends of cybersecurity, get inspired by people with similar interest and develop themselves via comprehensive workshops and training sessions.
www.hacktivity.com
#cybersecurity #Exploit