Best practices that can prevent exposure of development tokens

Best practices that can prevent exposure of development tokens

Information security is not just technology and tools. It is a mindset, a path that a company chooses to walk whenever it needs to organize and maintain infrastructure environments, computer networks, internal policies, employee access management, and more. However, the advance encounters barriers if the products that need to be protected or that help protect do not have security in their DNA.

Active security layers in an enterprise lose strength when there are products that have been poorly developed from a cyber protection standpoint. Therefore, we have listed some key practices for making a product secure from the ground up.

Application Security

Cyberattacks find numerous entry points into an environment. Doors such as misconfigurations on a server, or social engineering, as when an employee accesses a malicious file and infects the entire network with malware. However, even if weaknesses are mapped and fixed, even if the protection architecture is well designed, if a company's environment has poorly developed applications and web systems, these active security layers lose strength.

Because the information has already been exposed through carelessness in development.

The agile delivery of a system is what all companies expect, but speed cannot compromise security factors. This understanding gave rise to the concept of secure development, which consists of a set of practices and tools that help create products that are secure from their birth, taking into account important points around cyber risks.

Quality development, on time, and with adequate security is the definition of a successful delivery. Besides delivery, there is also the maintenance of the security of the software in its lifecycle and the underlying infrastructure. Secure development strategies should address a few points, such as:

  • Policies on information storage and source code;
  • Human resources and supplier management;
  • Assets used;
  • Communication channels.

OWASP

When we talk about secure development, in addition to the strategies mentioned, it is important to highlight the global reference in this subject which is the OWASP - Open Web Application Security Project. OWASP carries in its acronym, the meaning of Open Web Application Security Project, which is a global community of developers, researchers, and information security experts, whose goal is to find and mitigate vulnerabilities in web applications. They exchange knowledge openly and provide free content to help professionals in the field.

The main contribution of this community is the annual OWASP Top 10 ranking. This is a frequently updated report that focuses on the ten most critical risks and lists the most critical, common, and dangerous breaches when it comes to web project development. The latest listing is for the year 2021 and they are:

  • A01:2021 - Broken Access Control: Failures in access control lead to exposure of information, modification or deletion of data by unauthorized users;
  • A02: 2021 - Cryptographic Failures: show themselves as a high factor in the exposure of confidential data;
  • A03: 2021 - Injection: The mostcommon injectionsaffect SQL and NoSQL, operating system commands and LDAP;
  • A04: 2021 - Insecure Design: This is an area that includes lack of protection for stored data, logic programming problems, and displaying content that reveals confidential information;
  • A05:2021 - Security Misconfiguration: The growth of the category has been alerted by the organization due to the continuous changes in highly configurable software;
  • A06: 2021 - Vulnerable and Outdated Components: This category is directly related to the large increase in the use of third-party components and libraries without proper security validation, which can generate large volumes of vulnerabilities in applications;
  • A07: 2021 - Identification and Authentication Failures;
  • A08: 2021 - Software and Data Integrity Failures;
  • A09: 2021 - Security Logging and Monitoring: This is a category that targets problems that can make it difficult to analyze a data breach or other form of attack;
  • A10: 2021 - Server-Side Request Forgery: The adoption of cloud services and increasingly complex architectures has increased the severity of SSRF attacks.

With the case study covered in this newsletter, we highlight vulnerability A04: 2021 - Insecure Design from OWASP as a point of attention for this case, as it is a context of exposure of content with confidential information.

In some recent cyber attacks we have been able to identify some critical flaws in these aspects and we will exemplify them below.

There are numerous tools that assist developers in maintaining, collaborating and reviewing code, such as GitHub and Postman, but due to a lack of care they end up exposing important and valuable information. We will bring you one of the identified cases, in order to inform you about what happened and bring awareness to the code storage, we will also preserve the sensitive data in order not to expose the company even more.

The use of the Postman platform for API key storage

Postman is a platform used for building and using APIs (Application Programming Interface). It simplifies every step of the lifecycle and streamlines collaboration, but it is an open platform that everyone can access if the content is set to public.

In this specific case, we identified a complete repository with critical information, the entire source code structure and possible links to other vendors, also implying the exposure of other companies. In the images below, we can identify API keys, sensitive vendor information and exposed credentials, being a very easy point of exploitation and attack.

The consequences of exposing the API key

An API key (or token) should only be entered into a private, restricted database. It should not be publicly exposed. Disclosing this data can have serious consequences for the environment.

Figure 1 - Identified repository with exposed API keys

 

Sensitive Vendor Informationsupplier

Here we find sensitive data such as name, document number, address, payment method, description, all with the name exposed and clear text. This makes it easy to identify the actors involved and to use this data for fraud.

Figure 2 - Identified repository with sensitive supplier data and invoices

Displayed Credentials

This is the most critical data found, since we can easily identify the employee's name, e-mail and password. Which brings several consequences if used by malicious agents.

Figure 3 - Repository containing email address and password in plain text

 

Figure 4 - Repository containing email address and password in plain text

So we see that some repositories are only for testing or homologation, but the information contained there is critical and can direct access to other systems and infrastructures.

So, we leave the alert for the awareness in the use of these types of tools, always using them in a private way and also with caution in the type of information added, because no platform is totally safe.

Developers need to be aware of security practices and the involvement of a security team throughout the development lifecycle. So that the delivery of the product is successful and security is present, which adds value to the final product.

Related Posts