A story on how to reach ZERO exposed credentials in your organization

Presented at May Contain Hackers (MCH2022), July 24, 2022, 3 p.m. (50 minutes)

Do you find secrets or credentials everywhere? Have you noticed your AWS Keys, GCP Keys or SQL Azure connection info checked in by your developers? How will you eliminate and stop new secrets from being added to your security technical debt. Learn new techniques and strategies some companies are adopting to reach ZERO exposed credentials in their organization. One of the common and insecure engineering practices have been to publish source code that contains credentials in plain text and assuming attackers are not looking for them in source code whether it is public or private repositories. Over last few years, several large data loss incidents have their origins with attackers finding exposed credentials from source code repositories and these data losses have cost millions to the organization. In this talk, we will share how to build effective gates & mechanics to reduce your current exposure of credentials and ensure you reach and stay at ZERO exposed credentials from source in your organization. This is not just about shift left security, but also about the strategy and automation that is needed to be able to eliminate exposed credentials. The talk will also focus on “live” credential detection that is something very handful of organizations have tried and have had amazing success. Get ready to listen in to a real story of how few organizations have made in roads to reaching ZERO exposed credentials in source and what learnings can you take back to your organization.

Presenters:

• Neha Shukla
  Neha comes with over 17+ years of experience in IT and Information Security space. She leads the Supply Chain Security program and Security engineering team at Microsoft. She has led key programs including establishing and operationalizing Supply Chain Security program for Microsoft. Prior to working with Microsoft, she was with United Health Group, Accenture, HP & TCS. She has been an industry speaker on security topics including for forums such as BSides.
• Dharmesh Mehta
  Dharmesh has over 18 years of experience in Information Security. He is currently Head of Product Security at Gojek. Before Gojek, Dharmesh spent 10 years with Microsoft leading Security Assurance & Engineering team and about 8 years with Mastek working as Security Architect working with Ministry of Defense & NHS in the United Kingdom.

Links:

• https://program.mch2022.org/mch2021-2020/talk/WKFPSS/

Similar Presentations:

• DEF CON 22 (2014) / Is This Your Pipe? Hijacking the Build Pipeline
• BSidesLV 2017 / /.git/ing All Your Data
• AppSec USA 2015 / Turtles All the Way Down: Storing Secrets in the Cloud and the Data Center