2022年10月13日

社区聊天网络研讨会图书馆代码中的秘密与代码泄漏相结合暴露了30万丰田客户的数据有越来越多的组织报告源代码被盗，代码中的秘密暴露，以及由于未经授权的访问或代码泄漏而将专有代码暴露到外部存储库中。这正是发生在丰田的事情。据2022年10月10日发表在Bleeping Computer上的一篇文章报道，“丰田最近发现，T-Connect网站源代码的一部分被错误地发布在GitHub上，其中包含存储客户电子邮件地址和管理号码的数据服务器的访问密钥”。文章补充说，“这使得未经授权的第三方可以在2017年12月至2022年9月15日期间访问296019名客户的详细信息，当时访问GitHub存储库受到限制。”丰田T-Connect是丰田汽车制造商的官方连接应用程序，允许丰田车主将智能手机与汽车的信息娱乐系统连接起来，用于电话、音乐、导航、通知集成、驾驶数据、发动机状态、油耗等。秘密是如何进入代码的?软件供应链漏洞的主要根源之一是代码中的秘密。由于疏忽或恶意，留在代码中的秘密可能会被黑客利用，从而发动异步攻击，导致特权升级、漏洞利用和数据泄露。秘密作为应用程序用来连接外部服务、帐户或应用程序的代码中的构件存在。开发者使用的秘密包括API密钥; encryption keys; OAuth tokens; certificates; and passwords. One of the biggest challenges facing organizations today is manual detection, identification and remediation of secrets in code, which is tedious and time consuming. In many cases application security titles within organizations, particularly those with large numbers of developers are faced with having to resolve many thousand secrets. It can be challenging to determine all the reasons that secrets remain in code. In many cases development teams are focused on getting business logic and the functional aspects of integration to work. Many times it is easier to hardcode the secret string or value into the code while testing and then deal with the secrets removal later. While they have good intentions, sometimes developers forget to do that, or rarely, due to malicious intent, deliberately expose secrets in clear text. One way or another, secrets numbering in the thousands, often find their way into code repositories. How does Blubracket eliminate secrets in code? As a solution that is built with developers in mind, BluBracket is easy to integrate into the daily development workflows. It also has the flexibility to operate across all git repositories, both internal and external. Integration with existing DevOps and CI/CD tools commonly found in the enterprise allow developers to easily include BluBracket into their daily routines. The BluBracket code security solution scans source code and identifies hundreds of secret types that are neither recognized by open source solutions nor the add-on security capabilities that code management systems like GitHub, GitLab and BitBucket might provide. BluBracket helps eliminate secrets throughout the development workflow (before commit, review on pull request, and alert on commits to monitored repos), and make it easy to triage and mitigate secrets previously committed. BluBracket identifies secrets in git history, and can even identify active secrets so you know which ones are most important. How do you prevent code leaks? Developers sometimes unknowingly place company IP at risk when they share code sections or make commits to public git repositories. BluBracket regularly scans public repositories for code fingerprints that may have leaked into the extended universe and identifies code that may have leaked. How to get started? BluBracket helps you understand your overall code health and identifies the areas of highest risk, implement workflows to stop new risks from getting into code and monitor your code health and watch it improve with every commit. Developers and AppSec teams can get started in three simple steps by using their GitHub accounts to sign up for BluBracket. They can easily select the repositories to scan and start identifying risks almost immediately. Use this link to get started for free in just minutes. No credit card required https://blubracket.com/contact/get-started/ For additional information on how BluBracket can help secure your code environment, please visit BluBracket.com