The document addresses critical code security risks, highlighting the prevalence of sensitive data in code and vulnerabilities stemming from open source software. It outlines five key threats, including secrets in code, lack of visibility, malicious code from unauthorized sources, exposure of business infrastructure, and leakage of personal identifiable information (PII). The document concludes with a checklist for preventing code leaks and improving security measures related to code management practices.

1. Preventing Code Leaks and
Other Critical Security
Risks from Code
September 2020

2. Agenda
● About me (Briefly!)
● Why Code Security is Needed Now
● The Top Threats from Code
● How to Address the Threats
● Q & A
01 | © 2020

3. – John Terrill, CISO
Cybersecurity veteran with a focus
on data protection and code security.
– William Martiner, CTO Enterprise Technology
– John Visneski, Data Protection Officer
“BluBracket understands the challenge…”
“Code security that respects developers’
productivity is a critical need…”@ajayarora
ajay@blubracket.com
blubracket.com
– Jim Zemlin, Executive Director
“BluBracket's vision delivers…”
“We’re excited to work with BluBracket...”Security, compliance
& visibility for code
02 | © 2020

4. “Software has Eaten the World…”

5. Code security used to be easy since software development was…
Monolithic
Centralized
Protected behind a firewall
Slow

6. Git
Cloud Native
Collaborative
Open Source
Distributed
The way the world builds software has changed forever…

7. Code is Everywhere & Enterprises are at Risk
00 Developer laptops & desktops
10 Public source code management & sharing sites
11 Open source
01 Consultants/contractors networks & servers

8. Hackers Have Noticed
Opening a New Front in the Cybersecurity War
Code is Everywhere & Enterprises are at Risk

9. “In 2019, almost 50% of all breaches came from the
misuse of credentials, frequently found in code.”
– SANS 2019 Cloud Security Survey
08 | © 2020

10. Secrets in Code
Passwords, Tokens and APIs are
Rampant in Code
Code Security
Threat #1
Over 100,000 GitHub repos have leaked
API or cryptographic keys
Thousands of new API or cryptographic keys leak via GitHub every day

11. Renowned Hacker GhostLulz gives detailed
instructions to his “hacker army” on using
GitHub.
“People are always uploading sensitive
files to GitHub, it’s a gold mine.
I once performed an external pen test
against a company and was able to use
GitHub Dorks to find an exposed bash
history file which had SSH passwords.”
“I have personally popped
boxes using info only found
on GitHub.”

12. Code Security
Threat #1
Just a few months ago, this ethical hacker found the Jumpcloud key for
Starbucks available publicly on GitHub. With this key a hacker could
add/remove users to gain access to Starbuck’s internal systems.
“While going through GitHub search I discovered a public
repository which contains Jumpcloud API Key of Starbucks.”
IMPACT - This is critical as through this API anyone could:
- Execute commands on systems
- Add/remove users which has access to internal systems

13. Code Security
Threat #2
● By nature, Git is open and permissive.
● Git makes it extremely easy to clone code.
● Today, companies have little to no idea who has
cloned their code, where their code lives and
even who has access to it.
● Without visibility, companies can’t track
malicious insider tracking or know if
contractors/employees have uploaded important
IP to personal servers or open source.
● You can’t secure, what you can’t see.
Code Security
Threat #2
Code Proliferation & Lack of Code Visibility
12 | © 2020

14. GhostLulz Gives Detailed Instructions on How to Search Outside Company Repos.
1. “Find the companies Github page and from there you can
locate all their developers and monitor their accounts.”
2. “Once you find a company’s page you want to get a list of
people that are associated with the company. This can be
done by clicking on the “people” tab.”
3. Now you will need to manually go through each one and look
for exposures. You should be looking for urls, api keys,
usernames, passwords, vulnerabilities, and anything else that
could provide value.
Companies don’t track developer
endpoints or personal repos
13 | © 2020

15. ● Over 97% of Applications have Open Source*
● Most companies have an open source policy, but
not an enforcement mechanism that makes it easy
for developers to use.
● Hackers are getting more sophisticated replacing
open source libraries and packages as a backdoor
into company and product infrastructure.
● They frequently do this by bruteforce attacking Git
repos or social engineering against project
developers.
● Backdoors were snuck into 12 Open Source
Projects and Downloaded hundreds of thousands
of times in 2019*
Source: BlackDuck
Source: ArsTechnica
Code Security
Threat #3
Malicious Code from Unauthorized Open Source
15 | © 2020

16. Code Security
Threat #1
Are Your Open Source Files Really From the Trusted Source?
16 | © 2020

17. ● Hackers bruteforced a developer password and
inserted a backdoor to the popular “strong_password”
Ruby Gems package
● The infected package then would insert code allowing
remote code execution
2019 Take Over of Ruby Gems Package
“The hacker likely cracked an old password of mine from before I was using
1password that was leaked from who knows which of the various breaches that
have occurred over the years.” – OSS Developer on Hacker News
17 | © 2020

18. ● Your code shows which application servers,
search services and more are used in your stack.
● This information gives hackers a detailed map of
which vulnerabilities to target.
● Infrastructure as Code and Policy as Code means
your code holds even more valuable information.
● Code can also give competitors a way to gain
advantage against you.
Code Security
Threat #4
Your Business, Network and
Infrastructure Blueprint
Exposed through Leaked Code
18 | © 2020

19. Code Security
Threat #1
● A security researcher found an open
server on Boeing’s network containing
code for its 787 aircraft.
● With the information, the ethical hacker
disclosed how to target the networking
system.
● The code gave him a road map to exploit
and target vulnerabilities in the
airplane’s critical systems.
● ALL from code.
19 | © 2020
A Boeing Code Leak Exposes
Security Flaws Deep in a 787’s Guts
Our researcher’s discovery suggests troubling oversights in Boeing’s cybersecurity

20. Code Security
Threat #5Code Security
Threat #5
• Many well known threat actors have targeted
GitHub/GitLab/BitBucket for credentials to internal
data systems and PII itself.
• Developers often use GitHub/GitLab/BitBucket as a
private data store, and frequently post Sensitive Data
and PII in public repos.
• These can be code but also files and SQL backups
with PHI.
• Files are often embedded or linked to in code that
contain PII.
• Private repositories aren’t enough. Hacking groups
frequently bruteforce or credential stuffing to get into
private GitHub repos.
Sensitive Data and PII on Code Sharing Websites
20 | © 2020

21. Code Security
Threat #1
● A security researcher recently found 200,000
health records leaked on GitHub through
simple searches for credentials and PII.
● One example: WayStar is a revenue
management vendor for healthcare
companies.
● He found six repositories that had access
credentials for healthcare clients of WayStar.
● The credentials provided access to SFTP
servers housing EDI data with thousands of
PHI records.
● The researcher also found the password
generation algorithm had a pattern easily
cracked.
● ALL from code.
No need to hack
when it’s leaking.
21 | © 2020

22. How to Prevent Code Leaks — Your Checklist
Threat #2: Lack of Visibility
● Monitor all developer access to code and
GitHub/GitLab/BitBucket, including their
private accounts.
● Ensure that you can see actions and get notified
if they aren’t following security policies.
● Have airtight access control to Git for
employees and contractors. Don’t grant overly
permissive access to sensitive code. It’s too
easy to copy.
● Invest in a tool that can map your code assets,
including those on developer endpoints.
Threat #1: Secrets in Code
● Never hardcode credentials in the first place.
● Use a tool like Vault or API calls.
● Have secret scanning running in your code
pipeline and empower your developers to use
secret scanning themselves.
● Scan for valuable code/secrets in public
repositories. If it’s been cloned, it’s probably in
other places.
22 | © 2020

23. How to Prevent Code Leaks — Your Checklist
Threat #4: Code as a Blueprint
● Check for common Git misconfigurations, such as
having a .Git file available on your public website.
● Don’t forget about contractors/agencies.
● Ensure security can understand code to work closely
with developers.
● Invest in a Security Blueprint/Audit of your code
environments.
Threat #3: Open Source
● Don’t just scan for known vulnerabilities, also
make sure the source itself is authorized.
● Make open source scanning automatically part
of your developers’ workflow.
● Invest in open source BOM solutions.
22 | © 2020
Threat #5: PII/PHI in code
● Enforce Two-Factor Authentication across all
developer accounts like mail, not just in their Git
services.
● Train developers in PII/PHI regulations and
ensure apps don’t link or embed data.
● Don’t forget about contractors/agencies.
● Require (and audit) that all repositories are
private and that all email and repo accounts have
2FA.

24. 01 Safe with Git
03 Safe from Credentials, Secrets & PII in Code
04 Safe from Theft and Misuse
02 Safe with Open Source
The world runs on code.
We make it safe.
23 | © 2020

25. 24 | © 2020
Surface security risks
Actionable alerts
Understand the code ecosystem
Discover blind-spots & anomalies

26. Thank you! Please reach out with any
comments or questions.
Thank you for attending!
Please reach out with any
questions or comments.
Feel free to sign up for our Code
Security Monthly Digest at
www.blubracket.com.
BluBracket can also give attendees
a free Repository Health report.
Please email me or contact us via
our website.
@ajayarora
ajay@blubracket.com
blubracket.com
Security, compliance
& visibility for code