Page 1420 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1420

world.

               Code repositories provide several important functions supporting
               these collaborations. Primarily, they act as a central storage point for

               developers to place their source code. In addition, code repositories
               such as GitHub, Bitbucket, and SourceForge also provide version
               control, bug tracking, web hosting, release management, and
               communications functions that support software development.

               Code repositories are wonderful collaborative tools that facilitate
               software development, but they also have security risks of their own.
               First, developers must appropriately control access to their

               repositories. Some repositories, such as those supporting open-source
               software development, may allow public access. Others, such as those
               hosting code containing trade secret information, may be more
               limited, restricting access to authorized developers. Repository owners
               must carefully design access controls to only allow appropriate users

               read and/or write access.



                  Sensitive Information and Code Repositories


                  Developers must take care not to include sensitive information in
                  public code repositories. This is particularly true of API keys.

                  Many developers use APIs to access the underlying functionality of
                  Infrastructure-as-a-Service providers, such as Amazon Web
                  Services (AWS), Microsoft Azure, and Google Compute Engine.

                  This provides tremendous benefits, allowing developers to quickly
                  provision servers, modify network configuration, and allocate
                  storage using simple API calls.

                  Of course, IaaS providers charge for these services. When a
                  developer provisions a server, it triggers an hourly charge for that
                  server until it is shut down. The API key used to create a server ties
                  the server to a particular user account (and credit card!).


                  If developers write code that includes API keys and then upload
                  that key to a public repository, anyone in the world can then gain
                  access to their API key. This allows anyone to create IaaS resources
                  and charge it to the original developer’s credit card!
   1415   1416   1417   1418   1419   1420   1421   1422   1423   1424   1425