Application Security , DevSecOps , Next-Generation Technologies & Secure Development

Secrets in the Code: Open-Source API Security Risks

Apiiro's Moshe Zioni on Threats That Code Creates Across the Software Supply Chain
Secrets in the Code: Open-Source API Security Risks

Among the many hidden risks in open-source API security, developers put insecure, hardcoded "secrets" in their code. These may include "tokens to a specific API service that can give you credentials to implement or to access cloud services and cloud resources of the organization," says Moshe Zioni, vice president of security research at Apiiro.

The company in June published the report "Secrets Insights: Across the Software Supply Chain," which analyzed 20 different organizations of different sizes in different industries and found 2 million "commits" that hackers could potentially pick up. A commit, Zioni says, is a "single piece of code that is being pushed into an open-source repository."

Zioni says the "most revealing fact from the report" is that "34% of secrets that were found were added to those repositories during the first quarter of the year." He speculates that this could be due to AppSec teams having less time to do code reviews during the end-of-the-year holidays and new developers hired at the beginning of the year making more mistakes.

In this episode of "Cybersecurity Unplugged," Zioni also discusses:

  • The process for responsible disclosure of a vulnerability;
  • Defending code "as early as you can" and locking versions to mitigate ransomware attacks;
  • The risks posed by private repositories.

Moshe Zioni has been researching security for over 20 years in multiple industries, specializing in penetration testing, detection algorithms and incident response. He is a constant contributor to the hacking community and has been a co-founder of the Shabbatcon security conference for the past six years.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.