// NEXUSVOID CYBER NEWS

<- ALL CYBER NEWS

Notable

CISA, secrets leak, GitHub, AWS GovCloud, credentials, secret scanning, postmortem

CISA Left Its Own Keys in a Public GitHub Repo, and Wrote Up Why

A contractor pushed dozens of internal CISA credentials, including AWS GovCloud keys, to a public GitHub repository. The agency's own postmortem is a clean lesson in the most common way secrets leak.

The US Cybersecurity and Infrastructure Security Agency has published a postmortem on a data leak in which a contractor committed dozens of internal CISA credentials, including AWS GovCloud keys, to a public GitHub repository, as reported by Krebs on Security.

This is the most common way secrets get out, and it does not require a sophisticated attacker. Keys and tokens pasted into code, then pushed to a repository that turns out to be public, are found constantly by automated scanners that watch new commits for exactly this. The window between a secret being pushed and being harvested is often minutes.

There is a lesson in the fact that it happened to CISA, of all organizations. Secrets leakage is not a maturity problem so much as a process one, and every team that lets a human hand-place credentials into code will eventually ship some of them by accident. The agency treating it openly with a postmortem is the right response, and a useful model.

The controls that prevent this are well understood. Keep secrets out of code entirely by using a secrets manager and short-lived credentials, run automated secret scanning that blocks commits before they land, and rotate any exposed key immediately on the assumption it was already seen. The goal is to make it structurally impossible to commit a working secret, not to ask people to remember not to.

Sources: Krebs on Security.

Liked this briefing? Share it:

More briefings

Related posts appear on the live page
Get the briefings first
Breaking security news, verified fast, with the one fact the headlines skip. No spam - unsubscribe anytime.