Open source website GitHub will offer token scanning for among others Atlassian, Dropbox and Discord. The technique prevents tokens from being misused by cyber criminals.
Token scanning is a technique that identifies cryptographic information from access points. The tokens can then be withdrawn in case of malicious use. GitHub already offered this technique for several different types of login data. Now the company is also going to work with a number of extra partners to use token scanning.
VentureBeat reports that the list of partners will be supplemented with Atlassian, Dropbox, Discord, Proctorio and Pulumi. So if someone accidentally checks in a token for Jira of Atlassian, for example, this company gets a report. Metadata is also added, so that action can be taken immediately.
Future of cloud services
“Composing such cloud services is the norm for the future, but it comes with inherent complexity in terms of security,” reports Patrick Toomey, product security manager at GitHub. “Every cloud service a developer uses usually requires one or more references, often in the form of API tokens. In the wrong hands, they can be used to access sensitive customer data – or extensive computer resources for cryptographic currency denial, posing significant risks to both users and cloud service providers.”
Toomey explains in a blog post that most commits and private repositories are scanned within seconds after they are public. If a match is found with an unencrypted SSH private key, GitHub OAuth token, personal access token or any other type of access data, the relevant provider will be notified. That way, it has time to respond by withdrawing the token(s) in question and notifying potential affected users.This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.