How Bad Can It Git? Characterizing Secret Leakage in Public GitHub Repositories

Meli, Michael; McNiece, Matthew R.; Reaves, Bradley

doi:10.14722/ndss.2019.23418

Cited by 58 publications

(24 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Exposing hard-coded secrets, such as hard-coded keys, is not uncommon in GitHub: Meli et al [47] identified 201,642 instances of private keys, which included commonly-used API keys. Meli et al [47] reported 85,311 of the identified 201,642 instances of private keys to be Google API keys.…”

Section: Rq2: How Frequently Do Security Smells Occur For Infrastructmentioning

confidence: 99%

The Seven Sins: Security Smells in Infrastructure as Code Scripts

Rahman

Parnin

Williams

2019

2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE)

144

View full text Add to dashboard Cite

Context: Security smells are coding patterns in source code that are indicative of security weaknesses. As infrastructure as code (IaC) scripts are used to provision cloud-based servers and systems at scale, security smells in IaC scripts could be used to enable malicious users to exploit vulnerabilities in the provisioned systems. Goal: The goal of this paper is to help practitioners avoid insecure coding practices while developing infrastructure as code (IaC) scripts through an empirical study of security smells in IaC scripts. Methodology: We apply qualitative analysis with 3,339 IaC scripts to identify security smells for IaC scripts written in three languages: Ansible, Chef, and Puppet. We construct a static analysis tool called Security Linter for Infrastructure as Code scripts (SLIC) to automatically identify security smells in 61,097 scripts collected from 1,093 open source software repositories. We also submit bug reports for 1,500 randomly-selected smell occurrences identified from the 61,097 scripts. Results: We identify nine security smells for IaC scripts. By applying SLIC on 61,097 IaC scripts we identify 64,356 occurrences of security smells that included 9,092 hard-coded passwords. We observe agreement for 130 of the responded 187 bug reports, which suggests the relevance of security smells for IaC scripts amongst practitioners. Conclusion: We observe security smells to be prevalent in IaC scripts. We recommend practitioners to rigorously inspect the presence of the identified security smells in IaC scripts using (i) code review, and (ii) static analysis tools.

show abstract

Section: Rq2: How Frequently Do Security Smells Occur For Infrastructmentioning

confidence: 99%

The Seven Sins: Security Smells in Infrastructure as Code Scripts

Rahman

Parnin

Williams

2019

2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE)

144

View full text Add to dashboard Cite

show abstract

“…job titles, and social media uniform resource locators. Meli et al 6 revealed the prevalence of checked credentials, such as passwords or application programming interface keys, by finding more than 100,000 GitHub repositories with credentials.…”

Section: From the Editorsmentioning

confidence: 99%

The People Who Live in Glass Houses Are Happy the Stones Weren't Thrown at Them [From the Editors]

Williams

2021

IEEE Secur. Privacy

View full text Add to dashboard Cite

“…But at the same time, the entirety of the code, including the feature definitions, can be developed publicly without revealing any non-public information about the data. With this strategy, developers and maintainers must monitor submissions to ensure that data is not accidentally copied into source code files -a process that can be automated, similar to scanning for secure tokens and credentials [31,59].…”

Section: Privacymentioning

confidence: 99%

Enabling Collaborative Data Science Development with the Ballet Framework

Smith

Cito

et al. 2021

Proc. ACM Hum.-Comput. Interact.

View full text Add to dashboard Cite

While the open-source software development model has led to successful large-scale collaborations in building software systems, data science projects are frequently developed by individuals or small teams. We describe challenges to scaling data science collaborations and present a conceptual framework and ML programming model to address them. We instantiate these ideas in Ballet, the first lightweight framework for collaborative, open-source data science through a focus on feature engineering, and an accompanying cloud-based development environment. Using our framework, collaborators incrementally propose feature definitions to a repository which are each subjected to software and ML performance validation and can be automatically merged into an executable feature engineering pipeline. We leverage Ballet to conduct a case study analysis of an income prediction problem with 27 collaborators, and discuss implications for future designers of collaborative projects.CCS Concepts: • Human-centered computing → Collaborative and social computing systems and tools; Empirical studies in collaborative and social computing; • Computing methodologies → Machine learning; • Software and its engineering → Collaboration in software development.

show abstract

How Bad Can It Git? Characterizing Secret Leakage in Public GitHub Repositories

Cited by 58 publications

References 29 publications

The Seven Sins: Security Smells in Infrastructure as Code Scripts

The Seven Sins: Security Smells in Infrastructure as Code Scripts

The People Who Live in Glass Houses Are Happy the Stones Weren't Thrown at Them [From the Editors]

Enabling Collaborative Data Science Development with the Ballet Framework

Contact Info

Product

Resources

About