git 源码泄漏
Countless developers are using Git for version control, but many don’t have enough knowledge about how Git works. Some people even use Git and Github as tools for backup files. This leads to information disclosure in Git repositories. Thousands of new API or cryptographic keys leak via GitHub projects every day.
无数的开发人员正在使用Git进行版本控制,但是许多开发人员对Git的工作方式没有足够的了解。 有些人甚至将Git和Github用作备份文件的工具。 这导致Git存储库中的信息泄露。 每天都有数千个新的API或加密密钥通过GitHub项目泄漏。
I have been working in the field of information security for three years. About two years ago, our company had a severe security issue triggered by the information leak in a Git repository.
我从事信息安全领域已经三年了。 大约两年前,由于Git存储库中的信息泄漏,我们公司遇到了严重的安全问题。
An employee accidentally leaked an AWS key to Github. The attacker used this key to download more sensitive data from our servers. We put a lot of time into fixing this issue, we tried to find out how much data leaked, analyzed the affected systems and related users, and replaced all the leaked keys in systems.
一名员工不小心将AWS密钥泄露给了Github。 攻击者使用此密钥从我们的服务器下载更多敏感数据。 我们花了很多时间来解决此问题,我们试图找出泄漏了多少数据,分析了受影响的系统和相关用户,并替换了系统中所有泄漏的密钥。
It is a sad story that any company and developer would not want to experience.
任何公司和开发人员都不想体验,这是一个可悲的故事。
I won’t write more details about it. Instead, I hope more people know how to avoid it. Here are my suggestions for you to keep safe from Git leaks.
我不会写更多细节。 相反,我希望更多的人知道如何避免这种情况。 这是我为您提供的防止Git泄漏的建议。
建立安全意识 (Build security awareness)
Most junior developers don’t have enough security awareness. Some companies will train new employees, but some companies don’t have systematic training.
大多数初级开发人员没有足够的安全意识。 一些公司将培训新员工,但是一些公司没有系统的培训。
As a developer, we need to know which kind of data may introduce security issues. Remember these categories of data can not be checked into Git repository:
作为开发人员,我们需要知道哪种数据可能会带来安全问题。 请记住,这些类别的数据无法检入Git存储库:
- Any configuration data, including password, API keys, AWS keys, private keys, etc. 任何配置数据,包括密码,API密钥,AWS密钥,私钥等。
最低0.47元/天 解锁文章
1752
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
