This event has ended. Visit the official site or create your own event on Sched.
One Track
Lots of Flavor
Back To Schedule
Wednesday, April 17 • 3:00pm - 3:45pm
Bulletproof Shoes

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Version control software has come a long way, and the barrier to creating an open source project has been lowered to a point of being negligible. Experienced and inexperienced developers alike use hosted version control systems, such as GitHub, to share their code with the world. This open sharing of ideas is beneficial, but does come with occasional risks - accidentally publishing credentials or sensitive data, to name one. This issue has become so prevalent that all major hosts have documentation on the removal of sensitive data, but it has also led to the creation of numerous tools which trawl repositories for such sensitive information (which, in the malicious case, is then stolen and abused).
These repository-scanning tools mean that time is of the essence. When a user accidentally publishes a credential, the damage an attacker can cause is limited only by the privilege of that credential. An AWS credential, once leaked, could allow an attacker to spin up EC2 instances for mining bitcoin. A Slack token could allow an attacker to access the information in a Slack workspace, or perform other malicious actions based on the scope of the token. Therefore, it’s important for us to stop the abuse of such tokens before they fall into the wrong hands. In this talk we will discuss our “token nuker” - the tool we use to search for accidentally published Slack tokens and revoke them before they can be abused. We will cover the history, evolution, and current state of our automation, in what we hope will serve to benefit other security teams and application developers.

avatar for Fikrie Yunaz

Fikrie Yunaz

Product Security Engineer, Slack
Fikrie Yunaz is a Product Security Engineer at Slack. He is a security enthusiast and loves breaking web applications. He specializes in the areas of application security and security test automation. He was previously a Security Engineer at Oracle.
avatar for Nikki Brandt

Nikki Brandt

Staff Security Engineer, Slack
Nikki Brandt is a Staff Tech Lead/Manager on the Product Security team at Slack, where she currently leads the Product Security team and drives the security review process. Before joining Slack, Nikki was a senior security consultant at NCC Group (via Matasano), and a security engineer... Read More →

Wednesday April 17, 2019 3:00pm - 3:45pm HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA