Rapid7, a US network security company, suffered a Codecov supply chain attack in which part of its source code repository was leaked, according to related media reports.
Internal credentials and tool source code were maliciously accessed
The attackers managed to access some of their repositories and internal credentials, including the company’s managed checks and the source code of internal tools for its response (MDR) service, by scanning for code flaws, according to the cyber security firm under attack. At present, these credentials have been rotated, in addition to a part of the customer’s relevant data. Thankfully, the attackers did not access other company systems or production run environments to populate or change these repositories.
Although the cyber security company added that the hacked Codecov tool was not used in its production code, and has largely avoided the significant impact of its security vulnerability, it is foreseeable that software security vulnerabilities are a serious threat to the information security of individuals, enterprises and even countries.
The impact of the attack
Codecov claimed that an unknown attacker maliciously changed its Bash Uploader script, allowing hackers to collect sensitive information such as credentials, tokens or API keys from a customer’s continuous integration (CI) environment and send it to a third-party server. After investigation, it was found that hackers successfully invaded hundreds of customers’ network environments by test automation with stolen developer credentials. As a result of the cyber security incident, a Codecov customer said that the code signature GPG private key used to sign and verify software versions had been exposed in a cyber attack.
“Losing control of source code on the Internet is like giving a robber the blueprints for a bank.” The influence caused by source code leakage will be inestimable, so the security of source code is the basis of ensuring the security of core data.
With the development of applied science and technology, network security defense has gradually shifted from firewall and anti-virus software to strengthening source code security, and the effectiveness of static code security detection (SAST) has been quietly improved. On the one hand, static code safety testing can rapidly and accurately detect all the code level can be combined execution path, on the other hand, in the enterprise application software development phase static code safety inspection, can help developers to quickly find the code/logical loopholes in the process of technology, and to identify, track may caused by code specification/defect security vulnerabilities, Early warning and repair of code vulnerabilities in the early stage of development can reduce the vulnerability risk of software after running, improve the security ability against network attacks, and ensure the security of the code to a great extent.
Wukong static code security detection tool of Zhongke Tianqi has a false positive rate of about 10% in terms of performance. It has a detection speed of 600,000 lines per hour and a fast false positive rate is low. Support semantic defects/runtime defects, security vulnerabilities, security coding standards/specifications detection, support for mixed language detection. Support the domestic environment, support the development of national language security standards, comprehensive analysis of attack vectors, cross-function and cross-file stain path in-depth analysis, fingerprint technology, similar Hash technology and other applications.
In enterprise software development stage, static code security detection tools Wukong was (Wukong) can help developers to quickly find the code in the process of logical loopholes, and identify, track may caused by code specification/defects of security holes, holes in the early development of code warning and repair, reduce the risk of software vulnerabilities in running after, Enhance the security capability against cyber attacks to provide a favorable guarantee for cyber security.
Wukong static code detection tool, from the source, for your software security escort!
Software security The last line of defense for network security
Zhongke Tianqi company is strongly promoted by the Institute of Computing Technology of Chinese Academy of Sciences
With the international leading independent research results of cas institute of Computing science
“Software Code Vulnerability Detection and Repair platform Wukong“
For the foundation of the establishment of high-tech enterprises
Keywords: network attack network security static code detection code leakage code native security
And read the links: www.woocoom.com/b021.html?i…