Software code repositories could be harboring organizations’ credentials, secrets, and other sensitive data without developers’ knowledge – and this information could provide an invaluable resource for criminal hackers.
This is according to security specialists at communications technology company Twilio, who have launched a free tool that warns developers when they accidentally include sensitive information in their code before it’s uploaded to a repository.
Deadshot monitors GitHub pull requests in real time. The open source tool flags the potential inclusion of sensitive data in any code, as well as “changes to sensitive functionality”.
According to Laxman Eppalagudem, a senior product security engineer at Twilio who worked on the project, no one can manually monitor an organization’s entire codebase. So, his team created an automated scanning tool to find and flag sensitive data.
‘Deploy and forget’
Deadshot is intended to work as a “deploy and forget” tool. As it runs in every commit, the tool should alert the project owners before any data leaves the organization.
Security teams can specify what Deadshot monitors, and any alerts will be sent out via Slack or a Jira ticket.
“Twilio’s product security team identified a number of static secrets committed to the default branches of code repositories,” Yashvier Kosaraju, senior manager for product security at Twilio told The Daily Swig.
“Having secrets in code is, of course, not a good security posture. We found that most published secrets came from unsuspecting developers that unknowingly committed them to GitHub.
“We built Deadshot as a way to notify developers of secrets in their PRs [pull requests] and to help developers and their companies improve their security practices.”
Leaky commits
The accidental release of secrets and credentials to code repos is a significant problem, according to Kosaraju. He cites a GitGuardian report that identified over two million secrets in public GitHub repositories in 2020.
“It’s intended to replace the need to manually review code pull requests for sensitive data commits, which we all know doesn’t scale,” he said.
Deadshot has been designed so it can only be installed on Github accounts by the organization’s administrators.
This, Kosaraju said, reduces the danger of criminal hackers using Deadshot for illicit gains.
“Scripts and bots doing this type of scanning over GitHub and other code repositories are already well-established on the offensive side,” security consultant James Bore told The Daily Swig.
“It’s good to see it incorporated in a tool, as outside of ransomware these are the types of security failures I come across most option impacting companies, many times without their knowledge if the attacker is subtle.”
GitHub already has security scanning capabilities, Blore noted. Developers could also use the open source tool Gittyleaks to scan for API keys, passwords and other sensitive data.
Twilio is actively looking for feedback and feature requests from Deadshot users and the open source community, Kosaraju said.