DevSecOps London Gathering - April Event

Save the date and make sure you're in London for this one!

The next DevSecOps London Gathering event will be LIVE in London. Reserve your spot as we have another fascinating guest lined up.

How leaky can it git? Finding millions of publically leaked secrets

The problem of publicly exposed secrets, such as API keys and other credentials, is a widespread weakness affecting organizations of all sizes. The scale of this problem was quantified in a year-long research study by GitGuardian which found 10 million secrets were leaked in public repositories on Github.com.

The report also showed that nearly 5% of docker images contain at least one plain text secret. This talk will examine why secrets are so frequent in public spaces despite being a highly valuable asset and how attackers discover these credentials.

Building from this we break down three recent successful attacks which all used leaked credentials, CodeCov2021, Indian Government 2020 and the Lapsus breaches of 2022. Examining each different methodology used in these we will show the different techniques attackers used to harvest and exploit credentials. Finally, we break down the different methods and tools can be used to extract secrets from source code, reviewing the pros and cons of each.