More than 5,000 passwords, private keys, and other development "secrets" are leaked every day when programmers push code to online repositories — a year-over-year increase of 20% that also makes the software and the developer's infrastructure more susceptible to attack, according to a new report by security firm GitGuardian.
The company, which scans public GitHub repositories daily and analyzes the latest committed code, found that API keys for Google Cloud resources, for a variety of development tools — such as the Django web framework and Okta authentication framework — and for database access made up almost 60% of all leaked secrets. Developers from India, Brazil, and the United States most often leaked secrets, the company found.
Overall, while the number of leaked secrets is only about 0.2% of the public commits scanned each day, leaking an application secret can be devastating, enabling attackers to gain easy access to applications or the back-end databases, says Jeremy Thomas, CEO of GitGuardian.
"Cybersecurity is largely about human mistakes," he says. "This is still a rare event that we are preventing but a serious one, and developers have to assume that they are going to make mistakes."
Development activity on GitHub has skyrocketed in the past year, with the number of repositories jumping by 35% during the pandemic and the average active user contributing 25% more to open source projects, according to the GitHub "State of the Octoverse" report published in December.
While companies may believe that keys leaked in open source repositories do not affect their security posture, 94% of JavaScript projects rely on open source components, as do 81% of Python projects, ..
Support the originator by clicking the read the rest link below.
