Leak-Search: how and why QIWI created a service that looks for leaks of companies' source codes

Searching for leaks and vulnerabilities in your products is not only interesting and useful, but also necessary. It is even more useful to involve external specialists and enthusiasts in such searches, who do not have the same blurry eyes as employees. Therefore, at one time, we at QIWI launched the bug bounty program - researchers wrote to us about vulnerabilities and received rewards, and we closed these vulnerabilities. 

Several times we were sent the publicly available code in the form of links to repositories with sensitive information. The reasons for the leaks could be as follows:

  • the developer wrote a test code example for himself using the configurations of a "production" service - not a test environment;

  • admin uploaded scripts for automation and database migration - potentially sensitive information;

  • the trainee unknowingly posted the code to his public repository, believing that it was not risky.

At the same time, such leaks can come from both developers working in the company and from those who have already quit. For example, there have been cases when an employee who is no longer working for the company posted code in an open repository that he once took home to work with in his free time. It would seem - it sounds harmless, but inside such a code there could well be passwords from a database, network configuration or some kind of business logic - in general, information sensitive for a company that should not be publicly available. 

As practice shows, most companies are already well protected from external threats - and it is an internal leak that can cause the greatest harm. Moreover, such a leak can happen both maliciously and by accident - and this is exactly what we said above.

โ€” : Firewall, SOC, IDS/IPS , โ€” . , , โ€” .

. , , .

QIWI Leak-Search โ€” , Github . 

โ€” .

, : - , -, , . , โ€” . 

, . . -, , . 

Leak-Search , , , . Fortune . , , , . 

, . -: , , . , - , : , โ€” . 

, Leak-Search. โ€œโ€ ERP- โ€” ? - โ€œโ€ IoT- โ€” , ? โ€œ โ€ โ€” . .

QIWI Leak-Search

โ€” . โ€” , -, โ€” , , . . 

, , โ€” , , , , , โ€” .

, โ€” . , - , โ€” , . 

. , , , .

Leak-Search , . :

 โ€” โ€” smtp, Dockerfile, proxypass, Authorization;

 โ€” โ€” com.qiwi.processing.common;

 โ€” โ€” int.qiwi.com, 10.4.3.255;

 โ€” , โ€” QIWISECRET_KEY, qiwiToken.

, , . - โ€” , . 

 

. , . Open Source: - . .

, , โ€” ยซยป .

StackOverflow โ€” , , . . , , Github. , .

, , , - , , - Github โ€” , . .

, ? , , . , , .

โ€” killer feature . Leak-Search : , . -, . -, , , . 

, , open source, , Github, . , Leak-Search โ€œโ€ .

, . Github โ€” Leak-Search Gist. - Pastebin Gitlab, BitBucket. API. 

, , โ€” false positive, false negative. , .

โ€œ โ€ . , , โ€” , . 

, Leak-Search . . Leak-Search , โ€” . 

, , Leak-Search , โ€œโ€. โ€” , , , -, . 

, . , , . , โ€” . 

, , , , , IT, . 

- , , โ€” , . 




All Articles