2022年10月13日

社區聊天網絡研討會圖書館代碼中的秘密與代碼泄漏相結合暴露了30萬豐田客戶的數據有越來越多的組織報告源代碼被盜，代碼中的秘密暴露，以及由於未經授權的訪問或代碼泄漏而將專有代碼暴露到外部存儲庫中。這正是發生在豐田的事情。據2022年10月10日發表在Bleeping Computer上的一篇文章報道，“豐田最近發現，T-Connect網站源代碼的一部分被錯誤地發布在GitHub上，其中包含存儲客戶電子郵件地址和管理號碼的數據服務器的訪問密鑰”。文章補充說，“這使得未經授權的第三方可以在2017年12月至2022年9月15日期間訪問296019名客戶的詳細信息，當時訪問GitHub存儲庫受到限製。”豐田T-Connect是豐田汽車製造商的官方連接應用程序，允許豐田車主將智能手機與汽車的信息娛樂係統連接起來，用於電話、音樂、導航、通知集成、駕駛數據、發動機狀態、油耗等。秘密是如何進入代碼的?軟件供應鏈漏洞的主要根源之一是代碼中的秘密。由於疏忽或惡意，留在代碼中的秘密可能會被黑客利用，從而發動異步攻擊，導致特權升級、漏洞利用和數據泄露。秘密作為應用程序用來連接外部服務、帳戶或應用程序的代碼中的構件存在。開發者使用的秘密包括API密鑰; encryption keys; OAuth tokens; certificates; and passwords. One of the biggest challenges facing organizations today is manual detection, identification and remediation of secrets in code, which is tedious and time consuming. In many cases application security titles within organizations, particularly those with large numbers of developers are faced with having to resolve many thousand secrets. It can be challenging to determine all the reasons that secrets remain in code. In many cases development teams are focused on getting business logic and the functional aspects of integration to work. Many times it is easier to hardcode the secret string or value into the code while testing and then deal with the secrets removal later. While they have good intentions, sometimes developers forget to do that, or rarely, due to malicious intent, deliberately expose secrets in clear text. One way or another, secrets numbering in the thousands, often find their way into code repositories. How does Blubracket eliminate secrets in code? As a solution that is built with developers in mind, BluBracket is easy to integrate into the daily development workflows. It also has the flexibility to operate across all git repositories, both internal and external. Integration with existing DevOps and CI/CD tools commonly found in the enterprise allow developers to easily include BluBracket into their daily routines. The BluBracket code security solution scans source code and identifies hundreds of secret types that are neither recognized by open source solutions nor the add-on security capabilities that code management systems like GitHub, GitLab and BitBucket might provide. BluBracket helps eliminate secrets throughout the development workflow (before commit, review on pull request, and alert on commits to monitored repos), and make it easy to triage and mitigate secrets previously committed. BluBracket identifies secrets in git history, and can even identify active secrets so you know which ones are most important. How do you prevent code leaks? Developers sometimes unknowingly place company IP at risk when they share code sections or make commits to public git repositories. BluBracket regularly scans public repositories for code fingerprints that may have leaked into the extended universe and identifies code that may have leaked. How to get started? BluBracket helps you understand your overall code health and identifies the areas of highest risk, implement workflows to stop new risks from getting into code and monitor your code health and watch it improve with every commit. Developers and AppSec teams can get started in three simple steps by using their GitHub accounts to sign up for BluBracket. They can easily select the repositories to scan and start identifying risks almost immediately. Use this link to get started for free in just minutes. No credit card required https://blubracket.com/contact/get-started/ For additional information on how BluBracket can help secure your code environment, please visit BluBracket.com