{"id":10678,"date":"2022-07-08T02:30:14","date_gmt":"2022-07-08T02:30:14","guid":{"rendered":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/?post_type=session&#038;p=10678"},"modified":"2024-09-03T02:23:14","modified_gmt":"2024-09-03T02:23:14","slug":"secret-scanning-in-open-source-at-scale","status":"publish","type":"session","link":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/secret-scanning-in-open-source-at-scale\/","title":{"rendered":"Secret Scanning in Open Source at Scale (in-depth)"},"content":{"rendered":"<p><strong><a href=\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/materials\/D1T1%20-%20Secret%20Scanning%20in%20Open%20Source%20at%20Scale%20-%20Danish%20Tariq%20&amp;%20Hassan%20Khan%20Yusufzai.pdf\">PRESENTATION SLIDES<\/a><\/strong><\/p>\n<p>Supply chain security conversation is booming these days after attacks like log4j came to the scene.<\/p>\n<p>In this in-house research, we have conducted research on publicly available open-source assets like (JS packages), WordPress Plugins, and Ruby Gems to find out the presence of mistakenly or deliberately publicly exposed secrets (including private API keys and so on) i.e. AWS, Google, etc. (33 different types!)<\/p>\n<p>This could pose a risk to anyone using those packages as dependencies or plugins so that this chain of not re-inventing the wheel could become a disaster that stops the wheel once and for all.<\/p>\n<p>We would be presenting our research done on a large scale after in-house scanning on:<\/p>\n<ul>\n<li><strong>Around 2 Million+ NPM Packages. (almost all publicly available at the time of research)<\/strong><\/li>\n<li><strong>About 60,000 WordPress Plugins. (almost all publicly available at the time of research)<\/strong><\/li>\n<li><strong>Ruby Gems (almost all publicly available at the time of research)<\/strong><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>We would be demonstrating the numbers and impact to an audience in this talk and we would also be providing ways to prevent this and automation to integrate in your own ci\/cd pipelines to prevent such disasters from happening<\/p>\n","protected":false},"template":"","class_list":["post-10678","session","type-session","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Secret Scanning in Open Source at Scale (in-depth) - HITBSecConf2024 - Bangkok<\/title>\n<meta name=\"description\" content=\"In this in-house research, we have conducted research on publicly available open-source assets like (JS packages), WordPress Plugins, and Ruby Gems to find out the presence of mistakenly or deliberately publicly exposed secrets (including private API keys and so on) i.e. AWS, Google, etc. (33 different types!)\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/secret-scanning-in-open-source-at-scale\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Secret Scanning in Open Source at Scale (in-depth)\" \/>\n<meta property=\"og:description\" content=\"In this in-house research, we have conducted research on publicly available open-source assets like (JS packages), WordPress Plugins, and Ruby Gems to find out the presence of mistakenly or deliberately publicly exposed secrets (including private API keys and so on) i.e. AWS, Google, etc. (33 different types!)\" \/>\n<meta property=\"og:url\" content=\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/secret-scanning-in-open-source-at-scale\/\" \/>\n<meta property=\"og:site_name\" content=\"HITBSecConf2024 - Bangkok\" \/>\n<meta property=\"article:modified_time\" content=\"2024-09-03T02:23:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/wp-content\/uploads\/sites\/22\/2024\/06\/hassan.png\" \/>\n\t<meta property=\"og:image:width\" content=\"300\" \/>\n\t<meta property=\"og:image:height\" content=\"300\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/secret-scanning-in-open-source-at-scale\/\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/secret-scanning-in-open-source-at-scale\/\",\"name\":\"Secret Scanning in Open Source at Scale (in-depth) - HITBSecConf2024 - Bangkok\",\"isPartOf\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/#website\"},\"datePublished\":\"2022-07-08T02:30:14+00:00\",\"dateModified\":\"2024-09-03T02:23:14+00:00\",\"description\":\"In this in-house research, we have conducted research on publicly available open-source assets like (JS packages), WordPress Plugins, and Ruby Gems to find out the presence of mistakenly or deliberately publicly exposed secrets (including private API keys and so on) i.e. AWS, Google, etc. (33 different types!)\",\"breadcrumb\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/secret-scanning-in-open-source-at-scale\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/secret-scanning-in-open-source-at-scale\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/secret-scanning-in-open-source-at-scale\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Session\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Secret Scanning in Open Source at Scale (in-depth)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/#website\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/\",\"name\":\"HITBSecConf2024 - Bangkok\",\"description\":\"August 26 - 30 @ InterContinental\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Secret Scanning in Open Source at Scale (in-depth) - HITBSecConf2024 - Bangkok","description":"In this in-house research, we have conducted research on publicly available open-source assets like (JS packages), WordPress Plugins, and Ruby Gems to find out the presence of mistakenly or deliberately publicly exposed secrets (including private API keys and so on) i.e. AWS, Google, etc. (33 different types!)","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/secret-scanning-in-open-source-at-scale\/","og_locale":"en_US","og_type":"article","og_title":"Secret Scanning in Open Source at Scale (in-depth)","og_description":"In this in-house research, we have conducted research on publicly available open-source assets like (JS packages), WordPress Plugins, and Ruby Gems to find out the presence of mistakenly or deliberately publicly exposed secrets (including private API keys and so on) i.e. AWS, Google, etc. (33 different types!)","og_url":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/secret-scanning-in-open-source-at-scale\/","og_site_name":"HITBSecConf2024 - Bangkok","article_modified_time":"2024-09-03T02:23:14+00:00","og_image":[{"width":300,"height":300,"url":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/wp-content\/uploads\/sites\/22\/2024\/06\/hassan.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/secret-scanning-in-open-source-at-scale\/","url":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/secret-scanning-in-open-source-at-scale\/","name":"Secret Scanning in Open Source at Scale (in-depth) - HITBSecConf2024 - Bangkok","isPartOf":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/#website"},"datePublished":"2022-07-08T02:30:14+00:00","dateModified":"2024-09-03T02:23:14+00:00","description":"In this in-house research, we have conducted research on publicly available open-source assets like (JS packages), WordPress Plugins, and Ruby Gems to find out the presence of mistakenly or deliberately publicly exposed secrets (including private API keys and so on) i.e. AWS, Google, etc. (33 different types!)","breadcrumb":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/secret-scanning-in-open-source-at-scale\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/secret-scanning-in-open-source-at-scale\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/secret-scanning-in-open-source-at-scale\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/"},{"@type":"ListItem","position":2,"name":"Session","item":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/"},{"@type":"ListItem","position":3,"name":"Secret Scanning in Open Source at Scale (in-depth)"}]},{"@type":"WebSite","@id":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/#website","url":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/","name":"HITBSecConf2024 - Bangkok","description":"August 26 - 30 @ InterContinental","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/wp-json\/wp\/v2\/session\/10678"}],"collection":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/wp-json\/wp\/v2\/session"}],"about":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/wp-json\/wp\/v2\/types\/session"}],"wp:attachment":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/wp-json\/wp\/v2\/media?parent=10678"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}