You would think that organizations would want to know when ex-employees have access to the crown jewels.
No one wants to end up in the news like Twitter has due to lack of access controls for repositories containing source code just as they are locked in a battle of wits and a high profile lawsuit over a acquisition gone wrong.
The software supply chain has become one of the main attack vectors. Attackers will find any way to gain access to repositories where source code is stored. Additionally, today’s software is often built through a combination of internally developed code, open source code, or code developed by third parties. All of this code usually resides in git repositories.
These repositories also contain Infrastructure as Code and git configuration rules to make it easier for developers to move their code through the CI/CD development pipeline. People with unauthorized access to these repositories may not be looking to steal code. They may be after something far more sinister.
While everyone is worried about source code being stolen by people with unauthorized access, the real danger is that the code can leak a blueprint of the application’s architecture. Where critical information is stored and what other resources are leveraged. This information can be used to mount devastating asynchronous attacks that result in the exfiltration of large volumes of PII or cause debilitating operational disruptions.
In an article published by Wired magazine on August 23, 2022, the author notes: “Al Sutton, co-founder and chief technology officer of Snapp Automotive, was a software engineer on the Twitter team from August 2020 to February 2021.”
The article also contained a tweet from Al Sutton himself which stated, “One aspect that I haven’t talked about much about my long time membership in the GitHub Twitter group is that it let me access to private and public members. group list that could have been used as a social engineering starter list (33 public, 267 private).
The Wired article further mentions that Twitter never removed it from the GitHub group of employees who can submit software changes to code the company maintains on the development platform. Sutton had access to private repositories for 18 months after being fired from the company.
Access to repositories by developers and operations teams is a key principle for developing a more comprehensive view of code security. In order to understand code risk, BluBracket believes that enterprise teams should seek answers to three key questions:
What high-risk content is in your code?
Who has access to your code?
Where is your code going?
It is clear from above that unmonitored access to code repositories can lead to both external and internal threat. Malicious code can enter repositories and become a threat to the organization’s most critical assets.
In addition to identifying exposed secrets such as passwords, credentials, and API tokens in source code, BluBracket enforces secure repository access policies. BluBracket also monitors developer access to repositories – with built-in support for single sign-on (SSO) and multi-factor authentication (MFA).
BluBracket’s solutions help application development and security teams identify who has access to what, calling best practice configuration of everything from git hooks to branch protection rules, helps guide teams toward improvement continuity and continuous operational security. When teams know they can automatically and continuously audit access, they are both more productive because they can more easily grant access, and more secure because they have tools to revoke access when Employee roles change whether they leave or are laid off.
For more information about BluBracket code security solution, please visit https://blubracket.com/products/enterprise-edition/
To get started with BluBracket for free, please visit https://blubracket.com/contact/get-started/
*** This is a syndicated blog from the Security Bloggers Network of BluBracket: Code Security & Secret detection written by Pan Kamal. Read the original post at: https://blubracket.com/how-unauthorized-access-to-git-became-a-big-headache-for-twitter/