Intelligent CISO Issue 30 | Page 61

D digital risk protection , has revealed new research looking at the growing problem of company access keys inadvertently exposed during software development . Access keys and their corresponding secrets are used by developers to authenticate into other systems . While these should be kept private , poor security practices mean they are frequently made ‘ public ’ and are a gift to threat actors which routinely scour such sites for easy access to company systems .

Databases stores , cloud storage and services at risk from exposed access keys

igital Shadows , a leader in

D digital risk protection , has revealed new research looking at the growing problem of company access keys inadvertently exposed during software development . Access keys and their corresponding secrets are used by developers to authenticate into other systems . While these should be kept private , poor security practices mean they are frequently made ‘ public ’ and are a gift to threat actors which routinely scour such sites for easy access to company systems .

Over a 30-day period , Digital Shadows scanned more than 150 million entities from GitHub , GitLab and Pastebin . During this time , its technology assessed and categorised almost 800,000 access keys and secrets . Digital Shadows discovered more than 40 % of these were for database stores , with 38 % for cloud providers such as Google , Microsoft Azure and Amazon Web Services . Some 11 % were for online services including collaboration platforms such as Slack and payment systems including Stripe .
SAS tokens make up 22.7 % and 12.4 % respectively . Interestingly , despite Amazon Web Services being the market leader , exposed keys for these services only made up 8.3 % of the total .
Again , successful authentication into these environments could be hugely damaging and allow access to the associated cloud infrastructure , with permission to expose , destroy and / or manipulate sensitive data . The data accessible depends on the services used and could include company and internal systems information .
The research also discovered thousands of tokens and keys for popular online services , including Slack tokens . In the wrong hands , these keys could be used to post messages directly into a channel within the organisation , give access to sensitive information on channels and conversations and access a user ’ s Slack workspace , e . g . the channels , conversations , users and reactions .
Russell Bentley at Digital Shadows , said : “ As software development has become increasingly distributed between in-house and outsourced teams , it has become challenging to monitor the exposure of sensitive information . Every day , technical information like keys and secrets are exposed online to code collaboration platforms . Normally this is accidental , but we have seen evidence that threat actors are scouring public repositories and looking to use it in order to access sensitive data and infiltrate organisations . Most of the services we have identified are secure by design but as ever , humans are the weak link in the chain and frequently make information public when it should be private .” u
The impact of exposed database keys is particularly profound – these types of credentials could allow unauthorised access to company data , including personally identifiable information ( PII ) with the permission to expose , destroy or manipulate company data . Credentials for Redis ( 37.2 %), MySQL ( 23.8 %) and MongoDB ( 19.3 %) were the most common .
The research also found that keys are commonly exposed for cloud providers . Google Cloud was found to have the most exposed keys with 56.5 % of the total . Microsoft Azure access keys and intelligent SOFTWARE SECURITY www . intelligentciso . com | Issue 30
61