The recent Uber breach saw attackers obtain credentials to a private GitHub repository, which they then used to...
access the company's network. Is a private repository well-protected from threat actors? Should enterprises think twice about using services like GitHub for fear of exposing sensitive information?
Over the past couple of years, Uber has received a few black eyes when it has come to security. The news of the latest Uber breach involving a private code repository should remind users that code repositories are often targets for attackers due to developers' sloppy coding practices. We've seen many organizations publish code that included passwords and private keys publically to GitHub.
Many people seem to jump the gun when considering this breach. I've spoken to a few people about this, and Uber wasn't hosting their code on a public version of GitHub. That being said, there are obvious concerns about hosting data on a third-party site without having additional security controls in place. It's unclear what, if any, controls were in place for Uber's repository and how the hackers obtained access to it.
Get up to speed with Git and Git integration tools
- See how you would do on these Git and GitHub interview questions
- The five basic Git commands beginners need to master
- Undo a commit and manipulate commit history with this git reset --hard example
- Learn to git revert a commit with the bash shell
- Use the git cherry-pick command across Git branches
- Change the Git editor to Notepad++
- Where the Windows Git configuration files are stored
- Make continuous integration part of your DevOps journey with this Jenkins CI tutorial
In this instance, there were two third-party services at play: GitHub and Amazon Web Services (AWS). It was reported that the attackers used login credentials found in the repository to access Uber's AWS environment. They were then able to further sift through the AWS infrastructure until they found sensitive data that was valuable enough to sell.
Personally, I think this is less of a code repository issue and more of a general security failure because, in this scenario, there were multiple areas of failure that led to the data breach.
First things first: Let's not publish passwords, tokens or encryption keys in software code itself. This is just good practice, and starting there will help to develop a resilient threat model. The same advice goes for both public and private code being stored in repositories.
Likewise, when authenticating to both GitHub and AWS, using multifactor authentication for both is not only possible, but highly recommended.
There are risks when using third-party code repositories, as the Uber breach demonstrated, but many third-party providers offer security features that should be utilized. In this particular instance, it seems that they weren't used, and were possibly ignored.
Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)
Learn more about the industry's most popular DevOps tools
If you want to become a DevOps engineer, you'll need to master a variety of DevOps tools. Here are some popular tutorials to get you closer to achieving DevOps mastery:
- A step-by-step Jenkins CI tutorial with examples
- Learn how to install and configure JFrog Artifactory and integrate Artifactory with Jenkins
- Learn how to use the SonarQube Maven plugin to inspect for code quality
- Test your job readiness with these Jenkins and DevOps interview questions
- Some tough, sample GitHub and Git interview questions
- Learn the benefits of continuous integration by working with these popular CI/CD tools
Dig Deeper on Data security breaches
Related Q&A from Matthew Pascucci
Container security continues to be a pressing issue as containers and hosts are being used more frequently. Learn how to keep your enterprise safe ... Continue Reading
While there are no set rules, there are some security recommendations when it comes to virtual machines running on one host. Learn the best practices... Continue Reading
Poisoned search results have spread the Zeus Panda banking Trojan throughout Google. Learn what this means, how search engine poisoning works and ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.