You would think organizations would want to know when ex-employees have access to the crown jewels.
No one wants to end up in the news like Twitter did due to lack of access controls for repositories that contain source code just as they are locked in a battle of wits and a highly publicized lawsuit about an acquisition gone awry.
The software supply chain has become one of the biggest attack vectors. Attackers will find any means to access the repositories where source code is stored. Additionally, software today is often built via a combination of internally developed code, open source code or third-party developed code. All this code generally resides in git repositories.
These repositories also contain Infrastructure as code and git configuration rules to make it easier for developers to move their code down the CI/CD development pipeline. Individuals with unauthorized access to these repositories may not be seeking to pilfer code. They may be after something far more sinister.
While everyone is concerned about source code being stolen by individuals with unauthorized access, the real danger is that the code can divulge a blueprint of the application architecture. Where critical information is stored and what other resources are being leveraged. This information can be used to mount devastating asynchronous attacks that result in the exfiltration of large volumes of PII or cause debilitating operational disruptions.
In an article published by Wired magazine on August 23, 2022, the author notes, “Al Sutton, cofounder and chief technology officer of Snapp Automotive, was a Twitter staff software engineer from August 2020 to February 2021.”
The article also carried a tweet from Al Sutton himself which stated, “An aspect I’ve not seen discussed much about my long-past-leaving membership of the Twitter GitHub group, is that it left me with access to the private and public membership list of the group which could have been used as a social engineering starter list (33 public, 267 private).”
The Wired article further mentions that Twitter never removed him from the employee GitHub group that can submit software changes to code the company manages on the development platform. Sutton had access to private repositories for 18 months after being let go from the company.
Access to repositories by developers and operations teams is a key tenet to developing a more comprehensive view of code security. In order to understand risk from code, BluBracket believes that enterprise teams must seek answers to three key questions:
What high risk content is present in your code?
Who has access to your code?
Where is your code going?
It is clear from above that unmonitored access to code repos can lead to both external and insider threat. Malicious code can be introduced into repositories and become a threat to the organization’s most critical assets.
In addition to identifying exposed secrets like passwords, credentials and API tokens in source code, BluBracket enforces policies for trusted access to repositories. BluBracket also monitors developer access to repositories – with built-in support for single sign-on (SSO) and multi-factor authentication (MFA).
BluBracket’s solutions help developer and application security teams Identify who has access to what, calling out the best-practice configuration of everything from git hooks to branch protection rules helps guide teams to continuous improvement and ongoing operational security. When teams know they can automatically and continuously audit access, they’re both more productive because they can more easily grant access, and more secure because they have tools to revoke access when employees’ roles change, they leave or are terminated.
For more information on the BluBracket code security solution, please visit https://blubracket.com/products/enterprise-edition/
To get started for free with BluBracket please visit https://blubracket.com/contact/get-started/