- GitHub is investing in tools and educational measures meant to stop developers from leaking secrets.
- CSO Mike Hanley said the firm is continuing to develop tools that automatically scan for leaks.
- The move comes after companies were hacked using publicly available data from their GitHub accounts.
GitHub is the largest open-source code repository on the internet — and with more than 50 million developers using the platform, some information inevitably makes it onto GitHub that should have stayed private.
In some cases, the fallout from those leaks has been disastrous.
After the software company SolarWinds fell victim to a massive hacking campaign last year, researchers discovered that its publicly available code on GitHub included an administrator password — "solarwinds123" — in plain text. (SolarWinds CEO Sudhakar Ramakrishna later blamed the accidental leak on an intern.)
In light of the SolarWinds leak and recent findings from security researchers on GitHub-enabled breaches, the firm is investing in software tools and educational measures to help prevent its developer communities from accidentally leaking secrets in code repositories, said Mike Hanley, the newly appointed chief security officer.
"We've got an obligation to continue to protect the platform that is the home for all those developers," Hanley said. "I really do believe we're seeing an exciting shift toward making sure that things are shipping securely by default in the first place."
As GitHub's first-ever CSO building out its security team, Hanley said that one of his continued focuses will be refining the company's secret-scanning tools, which were first rolled out in 2018. The tools automatically parse developers' code and flag secrets such as passwords, access tokens, and application-programming-interface keys by cross-referencing information from dozens of other service providers, including Amazon Web Services and Google Cloud.
The idea is to flag and automatically revoke secrets published on GitHub before they fall into the hands of hackers. Security researcher Andrzej Dyjak recently tested GitHub's secret-scanning tools by committing an AWS key to a public repository. Seven minutes after Dyjak published, GitHub automatically alerted him that his code included a leaked secret, and just four minutes later, he detected a malicious bot trying to use the AWS key to compromise his server.
Hanley's goal is to build on GitHub's investment in secret-scanning to make it easy for developers to protect against leaks without sacrificing speed.
"This is a classic kind of usability challenge associated with engineers just trying to get their jobs done," Hanley said.
GitHub is spreading awareness after a researcher hacked Apple, Tesla, and Microsoft using insights from their public repositories
Hanley said GitHub is also educating developers about a new type of vulnerability that bears similarities to the problem of secret-leaking.
White-hat hacker Alex Birsan disclosed in February that he was able to hack Apple, Tesla, Netflix, Microsoft, PayPal, and more than 30 other companies by closely reading code that the firms uploaded to GitHub and other repositories.
Birsan wasn't looking for traditional "secrets" such as passwords or tokens. Rather, he found that the targets' code used so-called public dependencies that would automatically activate public code found on the open-source repositories, as well as private dependencies that appeared to reference code that they hosted internally. By simply uploading his own code to the same repositories and using the same names of targets' private dependencies, he found that the targets' public dependencies automatically started running his code, granting him access to their systems.
In response to Birsan's findings, GitHub published a blog post outlining steps for developers to ensure their code isn't vulnerable to the "dependency confusion" exploit, and its parent company, Microsoft, published a related white paper. Hanley praised Birsan's "excellent research," adding that GitHub is now focused on educating developers about his findings.
"It's a vibrant discussion here for us," Hanley said. "We're spreading awareness of the problem and helping people understand what are the actual best practices that exist in the space so they can adopt them."