Toyota public repo | Uber CISO convicted
CyberInsights #65
Toyota’s public Github repo had access key 🙄
Managing “secret data” in source code is harder than it seems.
Every company that creates software knows how hard it is to have one version of the truth. Web based versioning systems solve this problem by allowing a central “Git” based versioning. It allows multiple developers to work on their ‘branch’ of source code and ‘push’ it to a central repository (repo) when they are done. All this is excellent!
However, with great convenience comes great responsibility…
It is so convenient to push source code to the central repository that developers have now developed muscle memory to ‘git push’ the code.
When they do it, sometimes, secret information that should not be on a public repository gets pushed. Things like access keys, database passwords, etc.
This is what happened with Toyota. Read this article to know more.
Take Action:
Use ‘secret scanning’ tools that are available with the repositories for your benefit. Here is the Github version of the same.
Use SAST tools as a part of the development environment that will flag off secrets even before secrets gets pushed to git. There are many really good ones out there. We have used Fortify and Checkmarx with a good deal of success.
Training - This is Appsec 101, really. Have your developers trained on secure coding practices and secure software development life cycle. (of course, I am quite biased to Risk Quotient trainings, but really, any good appsec training should do it.)
Uber CISO convicted for ‘actively hiding’ a data breach
It’s more complicated than saying that the CISO is a scapegoat.
Erstwhile Chief Security Officer for Uber, Joe Sullivan, was convicted.
The reason for conviction was not disclosing information about a data breach in an ongoing investigation. To clarify, Uber came to know of a data breach even as there was an ongoing investigation by law enforcement about an earlier data breach. Now, Joe Sullivan should have disclosed this, but did not.
I am not a legal expert here, but that does seem like hiding information relevant to an ongoing investigation.
Take Action:
Its a no-brainer really. Have a strong incident reporting mechanism. Disclose incidents as early as possible and clearly.
CISOs are under pressure to not ‘classify’ something as a breach that needs to be reported.
When under pressure, keep your head above water and decide if it is a genuine breach. If you classify it as one, then report it!
Enjoyed reading? Receive this in your email every week.