mackenzie-gg's comments

mackenzie-gg | 5 years ago | on: SolarWinds leaked FTP credentials through a public GitHub repo since 2018

Check HackerOne to see if the company is listed. This is a site where white hat hackers can post vulnerabilities and in return get rewarded for bounties. If you have information on a vulnerability for a large social media, you might be looking at a nice reward. https://www.hackerone.com/product/bounty

mackenzie-gg | 5 years ago | on: SolarWinds leaked FTP credentials through a public GitHub repo since 2018

What is interesting here though that this, like the Covid-19 leak in Brazil, the leak was on an employees GitHub. Not a companies account. So sure the employee could have prevented it, but from a company perspective. They have no authority to enforce coding practices on a personal GitHub account. The only thing I can see preventing this at an organisational level is a DLP solution scanning the repositories (GitGuardian does this for example)

mackenzie-gg | 5 years ago | on: SolarWinds leaked FTP credentials through a public GitHub repo since 2018

You can put detection in the CI/CD pipeline to prevent from getting into the repository. And in any case. Knowing the horses have run away as soon as possible is pretty essential in damage prevention. What is interesting for me here is that this leak, like the Brazilian covid leak, happened because of an employees GitHub repository. Which companies have no authority over. GitGuardian at least scans the GitHub accounts of employees though.

mackenzie-gg | 5 years ago | on: What will happen when you commit secrets to a public Git repo?

It's a difficult challenge. Secrets detection is probabilistic, without checking the credentials it's nearly impossible to determine, with 100% accuracy, a true vs a false positive. But it has made big improvements. What detection solutions have you been using?

mackenzie-gg | 5 years ago | on: What will happen when you commit secrets to a public Git repo?

GitGuardian scans on every event, this includes a public event (when a Repo is made public) and will alert if secrets are found within.

mackenzie-gg | 5 years ago | on: How to scan local files for secrets in Python using the GitGuardian API

How to scan local files for secrets like API keys and security certificates in python using the GitGuardian API.