Software code repositories might be hiding credentials, sensitive data, and other secrets of an organization without the knowledge of developers. If this information gets in the hands of cybercriminals, it could be an invaluable source for launching cyberattacks, say the cybersecurity experts at Twilio, who have released an open-source tool that alerts the developers if they accidentally attach any personal or sensitive data in their code before uploading it to a repository.
Known as Deadshot, the tool overlooks real-time GitHub pull requests. It marks the possible addition of any sensitive information in any codes, and it varies to sensitive functionality. As per a senior product security engineer at Twilio, Laxman Eppalagudem, who worked on the project says it's not possible for an individual to manually monitor an entire codebase of an organization, hence, their team developed an automatic monitoring tool to search and mark sensitive data.
Deploy and Forget
The software will work as a "deploy and forget" tool, as Deadshot would work the entire codebase, it would alert project handlers if any sensitive data flows out of the organization. The safety teams can differentiate what the tool monitors and the alerts can be sent out using Jira Ticket or Slack. Leaky commits: The unintentional reveals of credentials and secrets to code repositories have always been a major problem, says senior product manager Yashvier Kosaraju. The software is aimed to remove the need to manually reviewing the entire codebase, pulling requests for sensitive data commits, which, we're all aware, don't scale.
The software is designed in a manner so that it can only be installed on GitHub accounts by company admins. As per Twilio, it reduces the Rick of hackers exploiting Deadshot for malicious purposes. According to The Daily Swig, "GitHub already has security scanning capabilities, Blore noted. Developers could also use the open-source tool Gittyleaks to scan for API keys, passwords, and other sensitive data. Twilio is actively looking for feedback and feature requests from Deadshot users and the open-source community, Kosaraju said." Experts believe it is a good initiative to avoid ransomware attacks.
