Are Source Code Leaks a New Threat that Software Vendors Should Be Concerned About?
Less than a month ago, Twitter indirectly acknowledged that some of its source code had leaked on code-sharing platform GitHub by sending a copyright infringement notice to remove the alleged repository. The latter is now inaccessible, but according to the media, it has been publicly accessible for several months. A user with the name FreeSpeechEnthousiast commits thousands of documents belonging to social media platforms over several months.
While there is no concrete evidence to support this hypothesis, the timing of the leak and the ironic username used by the perpetrator suggest that the leak was a deliberate act aimed at harming the company.
While it’s too early to gauge the impact this leak will have on Twitter’s health, this incident should be an opportunity for all software vendors to ask a simple question: what if this happened to us?
Protecting sensitive information in the software industry is becoming increasingly important as the frequency and impact of data breaches and breaches continues to increase. With increasing reliance on software, the amount of sensitive information stored in digital form continues to grow.
About a year ago, the Lapsus$ hacker gang made headlines for publicly leaking the source code of some of the biggest names in technology. The group trophies include nearly 200GB of source code from Samsung, source code for Nvidia’s DLSS technology, and 250 internal projects from Microsoft. Several other software companies have also been targeted, with their codebases falling into the wrong hands: LastPass, Dropbox, Okta, and Slack have all disclosed that some of their code has been compromised.
A Treasure Trove of Sensitive Information
The source code contains a lot of sensitive information, and that includes, most of the time, hard-coded secrets like passwords, API keys, and certificate private keys. This information is often stored in plain text within the source code, making it an attractive target for attackers.
There are many potential risks associated with leaking private source code, but the revealed secret is perhaps the most concerning: in State Secrets Revealed in 2023, the largest single analysis of public GitHub activity, GitGuardian reports 10 million newly exposed secrets in 2022 alone, a staggering number that grew 67% year over year. This phenomenon is largely explained by the fact that it is very easy when using version control like Git to mistakenly publish hard-coded secrets buried in commit history. But malicious intent can also be the reason for disclosing classified information.
When a source code leak happens, these secrets can be exposed, giving attackers access to systems and data. The secret-in-the-code is a very significant problem. They allow attackers to move quickly to exploit a number of systems, making it more difficult for organizations to contain damage. Unfortunately, the internal source code is a very leaky asset. It can be widely accessed by developers across the enterprise, backed up to different servers, and even stored on the developer’s local machine. That’s one reason why making sure no secrets are revealed is so important.
In addition to the risk of malicious activity, mistakes made by developers can also harm the company. For example, accidental code leaks can occur because of the way GitHub has designed its company/organization offering. This makes it difficult for organizations to prevent accidental leaks and, conversely, too easy for developers to make mistakes.
Open logic flaws are also a concern. There may be vulnerabilities in how the software application handles functions and data that may exist in the source code. When source code is exposed, attackers can analyze it for these vulnerabilities and exploit them to gain unauthorized access. The same goes for application architecture. Often, organizations expect their application architecture to be hidden, a concept called security by obscurity. When the source code is revealed, it can lead attackers to a map of how the application works, giving them the opportunity to find hidden assets.
Time to Act: Protect Your Source Code
The problem is nothing new, and many people in the security industry have been sounding the alarm for some time. However, recent initiatives by the Biden administration to strengthen the cyber resilience of infrastructure and SMBs have increased the focus on software vendor accountability. As cybersecurity becomes a national priority, there will be increasing pressure to promote secure development practices and establish market forces to prioritize the protection of sensitive information.
So what can software vendors do to protect their source code and sensitive information? First and foremost, they must recognize potential risks and take appropriate steps to mitigate them. This includes implementing security measures to protect against malicious activity and ensuring that hard-coded secrets are not stored in plain text within the source code.
However, more than one approach is needed to protect sensitive information in the software industry. Using a combination of confidential management solutions, secure coding practices, and automated secret detection can provide a comprehensive security strategy.
Secret detection involves scanning source code and other digital assets for hard-coded secrets, alerting developers to potential vulnerabilities an attacker could exploit. With this proactive approach, organizations can better protect their sensitive information and identify potential security risks earlier in the software development lifecycle.
Combining confidential detection solutions together with confidential management and secure coding practices provides a layered security approach that can help mitigate the risks associated with leaked source code and other potential vulnerabilities.
In addition to these technical measures, it is also important to ensure that employees are trained and educated on cybersecurity best practices. This includes regular training and awareness programs to ensure that employees are aware of the risks and know how to protect sensitive information.
Overall, protecting source code and sensitive information is a critical concern for software vendors. As the frequency of malicious activity and accidental leaks continues to increase, it is critical that vendors take steps to mitigate risk and protect their customer data. By implementing secure coding practices, using confidential management solutions, and providing employee awareness and training programs, vendors can help drive continuous improvement of their software development practices over the long term.
It is important to note that protecting source code and sensitive information is not a one-time occurrence. This is an ongoing process that requires constant attention and vigilance. Software vendors should continuously monitor their systems for potential vulnerabilities and ensure that their security measures are up to date.
If you are interested in improving your organization’s secrets management practices, we encourage you to take up confidential management questionnaire (anonymous) to assess your particular situation. It only takes five minutes to get a quick overview of your organization’s strengths and weaknesses and get started on the path to greater security.
Make sure your sensitive information is protected, and your customers’ trust is maintained.