Cloud security isn’t just about protecting production code, it means securing your development code too. That's the lesson from a recent project by a group of security researchers who found people leaking valuable secrets in continuous integration (CI) logs.
CI is the process of automatically integrating each change that developers make to their code into a central repository, several times each day. A CI tool then builds and tests that code. By integrating tests more closely into the software development process, CI weeds out gnarly software quality problems early on in the process when they're easier to fix.
The problem lies with the log files that the tools running those CI processes create. They can often contain secrets such as environment variables and personal access tokens that would be useful to intruders.
“Due to the way lots of open-source teams strive for complete transparency and openness in the development process, projects were hesitant to hide build log data on continuous-integration platforms,” the researchers said.
Secrets in build logs are a well-known problem in the developer community. The researchers pointed to one case from 2015 where an employer at bug bounty company Hacker One inadvertently published their own GitHub personal access token in a build log.
The researchers found that developers continue to make these mistakes. They searched for organizations offering bug bounties that also used the Travis CI tool, and then used the Travis API to download those organizations' build logs. Then they searched the logs to see what they could find, using keywords like “token”, “key”, “password”, and “secret”.
They found GitHub access tokens, which gave them access to change code in the organizations' GitHub repositories, and in one case, to an SSH key.
Developers embracing CI practices should be sure that they’re protecting their build logs, warned the researchers. “Setting up continuous monitoring of your favorite bug bounty program’s CI builds, and running your tooling every time the team pushes a new commit to GitHub, is a great way to catch exposed secrets in real time before the team has time to act,” they said.
The topic of Cloud Security will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Cloud Security here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.
