Microsoft subsidiary, GitHub, rolled out its secret scanning service to all users on Dec. 15. This service was previously available only to GitHub Enterprise Cloud users with a GitHub Advanced Security license. GitHub’s secret scanning looks through public repositories for over 200 token formats. In 2022, GitHub alerted its partners to over 1.7 million security exploits.
“Secret scanning alerts notify you directly about leaked secrets in your code. We’ll still notify our partners for your fastest protection, but now you can own the holistic security of your repositories,” read the GitHub blog.
Users will also get two-factor authentication (2FA) security feature in March 2023. GitHub had previously announced that it’d implement 2FA for high-impact package maintainers in Nov. 2022. However, it recently outlined 2FA’s wide-scale implementation across its 94-million user base.
The rationale behind GitHub’s free scanning tool is to prevent secrets and credentials compromises. A “secret” is a token or an authentication tool. Developers rely on them for communication with external services. Secret scanning takes place in Git history and all its branches.
As per the GitHub document, the secret scanning tool looks for known security vulnerabilities. This is something to keep in mind as a caveat, given that vulnerabilities can also be unknown (found only months after they occur).
That said, users can implement secret scanning alerts through “Code security and analysis” settings. Already exposed secrets are present under the “Vulnerability alerts” section. When you select any of the exposed secrets, you can view the exposure type and the remedial action you need to take.
Users and partners get different forms of secret scanning on GitHub. Users constitute:
On the other hand, partners get an alert when the same file has two keys. GitHub works with a number of partners to find exposed secrets. GitHub automatically alerts its partners when secret scanning detects a secret in a GitHub commit. The platform currently works with over 100 partners, including Adobe, Azure, Atlassian, Dropbox, Discord, Hubspot, Meta, Shopify, Stripe, etc.
According to IBM, leaked credentials are the most common type of data breach. These data breaches cost more than $150,000 than the average data breach and take 327 days to identify. The IBM report, cited by GitHub, highlighted that 83% of companies could suffer from one or more of these data breaches. The report further recommends using automation tools, which can cut threat identification times by 74 days.
Leaked secrets are especially worrying in the context of the software supply chain. Google recently released a report concerning the software supply chain and open-source dependencies. With open-source software in wide circulation, a compromised commit can affect all developer dependencies. Moreover, the line between commercial and public software is growing thinner as commercial entities begin relying on open-source code.
Companies using open-source code allow cybercriminals an increasing number of attack vectors. Sadly, organizations cannot reduce these dependencies without also reducing operational efficiencies. Enforcing 2FA can be the best bet for companies in such a situation. And that’s what GitHub is working on implementing in the next phase to reduce the damage from attacks that target related software systems.
In addition to free secret scanning, GitHub is also rolling out 2FA from March 2023 to all code contributors. 2FA increases network security by asking users for an additional passcode before logging them into an application. This stops cybercriminals from compromising a network unless they gain access to either the physical device or application.
The following user classes will be able to use 2FA:
By the end of 2023, 2FA will be mandatory for all users, including people who publish code on the platform — everyone will have to fulfill a 2FA login. Users who fail to enable 2FA will have 45 days before they’re blocked from using GitHub features. Overall, 2FA will make the software ecosystem safer for all parties. As a bonus to this, GitHub, like Google, is also adding passkey support, which is an alternative to passwords.
Alex Weinert, Microsoft’s Director of Identity Security, said that an account using 2FA is 99.99% less likely to be compromised, whereas cybercriminals always compromise passwords. Microsoft research further stated that using powerful passwords doesn’t prevent compromises, but it’s still better than weaker passwords.
Google research also indicated that “adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation.”
Identity management is a significant issue. The debate around it will get even more heated as we increase the adoption of online authentication. GitHub has committed itself to protect its users’ and partners’ identities by rolling out 2FA and secret scanning, laying down an example for us all to follow.
The CEO of Zurich Insurance, one of Europe’s largest insurance companies, has said that cybercrime could soon become uninsurable, warning that the risks surpassed climate…
Read More »
Facebook owner, Meta, has agreed to a $725 million settlement in relation to the longstanding Cambridge Analytica scandal that first emerged in 2018. Facebook allowed…
Read More »
Ireland’s Data Protection Commission (DPC) has launched a Twitter inquiry after a breach affected over 5.4 million users through an API vulnerability. DPC launched the…
Read More »
A recent report from Prodaft has unveiled FIN7 as one of the deadliest cybercrime groups on the planet, with a particular emphasis on breaching corporate…
Read More »
Your email address will not be published.
document.getElementById( “ak_js_1” ).setAttribute( “value”, ( new Date() ).getTime() );
Join Our Newsletters
Learn about the latest security threats, system optimization tricks, and the hottest new technologies in the industry.
TechGenix reaches millions of IT Professionals every month, empowering them with the answers and tools they need to set up, configure, maintain and enhance their networks.
Copyright © 2022 TechGenix