Already registered? Log in now to personalize your experience!
Platforms for hosting and sharing open source code (Github, Gitkab, BitBucket, etc.) are the mainstay for the distribution and organisation of open source software. They enable source code to be structured, contributions to be orchestrated, versioning to be organised and the community of contributors to be managed, as well as providing a vital showcase for all open source projects.
Presenting your source code to the public is a vital part of the open source sharing approach, but it can lead its author to disclose vulnerabilities that can be more or less easily exploited by an attacker. One of the most common and easier to exploit vulnerabilities consists a leaving secrets (API keys, passwords, tickets, confidential information, etc.) unencrypted in the code or in the code’s change log. The consequences of this kind of vulnerability can prove disastrous for companies, organisations and citizens. The 2016 case of Uber, which suffered a leak of the personal data of 57 million of their clients because of an unprotected password in Github, is a prime example of this.
In this presentation, we will discuss the reasons that may result in this kind of vulnerability, ways of protecting yourself from them and various open source tools enabling projects to be scanned and the risk of disclosing secrets to be detected upstream.