Avinash Jain

Avinash Jain
Avinash is security lead at Quince, and earlier was a security researcher at Microsoft. He has also built complete end-to-end information security in a couple of startups. He loves to break application logic and find vulnerabilities that have been acknowledged by various MNCs and govs. He writes about security vulnerabilities, data privacy issues, and everything security that can be found on his website logicbomb.in . Some of his articles and interviews have been published in various news media. He is a cybersecurity speaker with a keen interest in Cloud Security and DevSecops.

Talk / Workshop
Description
Talk

Ensure Credential Hygiene and Reduced Risk of Leakage Across Systems

A report from the security firm Detectify said that they analyzed public GitHub repositories and found more than 1,500 unique “access tokens” that could be used to retrieve private messages from Slack—the popular office messaging app that many companies rely on as their primary communication platform.
The biggest threat to any organization comes from leakage of their system credentials (including secrets) whether it is due to an application-level vulnerability, server misconfiguration issues, credentials shared via communication channels, compromised tokens, or an employee’s mistake. These secrets could be the user’s/system’s credentials, production keys, database passwords, cloud access tokens, etc. We can implement stringent controls around the application and monitor it or perform server hardening that prevents various kinds of misconfiguration issues. What about when an employee or developer having high privileged access mistakenly hard codes the credentials into the project, unknowingly pushing it to GitHub to make it publicly available, or shares the secrets via communication channels like Slack, Hangout, Pastebin, etc. and someone outside the organization gets a hold of it? It’s an easy mistake to make that can lead to catastrophic breaches, particularly when the credentials can unlock systems that are crucial to business processes.
“A simple query on Github search can give you access to a bunch of credentials that people inadvertently leave in their code. This is what happened with Uber in 2014 when hackers stole data of 50,000 drivers by getting into the company’s database using login credentials which an Uber employee had committed to a public GitHub repository by accident and was available for months.”

  • How do you tackle such mishaps?
  • How do you prevent leakage of system security credentials?
  • What do you do to reduce its risk by implementing access control policies?
The answers to these questions are what we are going to cover in this session. We will discuss the in-house built solution consisting of programming, use of Hashicorp Vault, ACL policies, and automation which will not only reduce the risk of credential leakage but also has other benefits:
  • Logging and tracking all the actions performed using the credentials
  • Ability to revoke token when any breach occurs without the need to encrypt data again and re-generating all the keys.
  • Assigning TTL policy to token it and expire it when required.
    • Setting up access control policy and RBAC

After implementing this, any developer now can, on the fly generate any system credentials that he/she is authorized to generate and use it with a dynamic time lease attached to it.
In this talk, we will be going deep into the solution implementation, technical specifications, a live demo, the complete framework, and our learnings acquired through years of experience working with developers and DevSecOps.

Subscribe and get our news and updates.