Canadian financial giant, Scotiabank, has torn down GitHub repositories, which were inadvertently left open to the public and contained sensitive internal source code information, as well as some private login keys to backend systems.
.@Scotiabank embracing open source – puts code on Github https://t.co/RUuLFWyjsj via @Finextra #fintech
— Adam Nanjee (@adamnyyz) August 16, 2018
Unfortunately, seeing a report about an unsecured database is no longer an unusual event. The number one responsibility of all organisations is to defend their data. Leaving personal and sensitive information unprotected is not only careless – it’s irresponsible. Misconfigurations like this have grown in popularity as an attack vector across all industries. This highlights the reality that organizations are struggling with limited IT resources and, consequently, are susceptible to careless and reckless mistakes like this one. However, even companies with limited IT resources must take full responsibility for securing user data – there is no excuse for negligent security practices such as leaving databases exposed.
To ensure data is always safe, companies should look for security platforms that enforce real-time access control, detect misconfigurations through cloud security posture management, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent the leakage of sensitive information.
Public code repositories, various code and data sharing projects can greatly facilitate DevSecOps and accelerate agile software development. However, they likewise bring a wide spectrum of critical business risks of inadvertent or careless data leaks exacerbated by third-party developers with insufficient security training. Some developers recklessly share passwords from production systems on Pastebin thereby opening doors to their digital realms without thinking about the consequences.
Cybercriminals are well aware of the situation and are continuously crawling publicly accessible data sources to get sensitive source code, hard-coded credentials and API keys. Worst, they often succeed and their intrusions frequently remain undetected as virtually no abnormal activities happens.
Large companies need to thoughtfully design a secure software development policy, and properly enforce and monitor it. Regular security training for developers should be an essential part of the policy. Special attention must be given when developers are outsourced to third-parties unfamiliar with security procedures and best practices.