2 cissp ® Official Study Guide Eighth Edition

Download 19,3 Mb.

Pdf ko'rish

bet	830/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 826 827 828 829 830 831 832 833 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Code Repositories
Software development is a collaborative effort, and large software projects require teams of
developers who may simultaneously work on different parts of the code. Further complicat-
ing the situation is the fact that these developers may be geographically dispersed around
the world.
Code repositories
provide several important functions supporting these collaborations.
Primarily, they act as a central storage point for developers to place their source code. In
addition, code repositories such as GitHub, Bitbucket, and SourceForge also provide ver-
sion control, bug tracking, web hosting, release management, and communications func-
tions that support software development.
Code repositories are wonderful collaborative tools that facilitate software development,
but they also have security risks of their own. First, developers must appropriately control
access to their repositories. Some repositories, such as those supporting open-source soft-
ware development, may allow public access. Others, such as those hosting code containing
trade secret information, may be more limited, restricting access to authorized developers.
Repository owners must carefully design access controls to only allow appropriate users
read and/or write access.
Sensitive Information and Code repositories
Developers must take care not to include sensitive information in public code reposito-
ries. This is particularly true of API keys.
Many developers use APIs to access the underlying functionality of Infrastructure-as-a-
Service providers, such as Amazon Web Services (AWS), Microsoft Azure, and Google
Compute Engine. This provides tremendous benefits, allowing developers to quickly pro-
vision servers, modify network configuration, and allocate storage using simple API calls.
Of course, IaaS providers charge for these services. When a developer provisions a
server, it triggers an hourly charge for that server until it is shut down. The API key used
to create a server ties the server to a particular user account (and credit card!).

894
Chapter 20
■
Software Development Security
If developers write code that includes API keys and then upload that key to a public repos-
itory, anyone in the world can then gain access to their API key. This allows anyone to cre-
ate IaaS resources and charge it to the original developer’s credit card!
Further worsening the situation, hackers have written bots that scour public code reposi-
tories searching for exposed API keys. These bots may detect an inadvertently posted key
in seconds, allowing the hacker to quickly provision massive computing resources before
the developer even knows of their mistake!
Similarly, developers should also be careful to avoid placing passwords, internal server
names, database names, and other sensitive information in code repositories.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 826 827 828 829 830 831 832 833 ... 881