Slack told Detectify that it's proactively looking for exposed tokens and disabling them so that they can't be abused. While tracking where tokens and API keys are being posted is helpful, it isn't Slack's job. GitHub is just one public repository out of many. It shouldn't be up to Slack to keep track of all the possible places where tokens may be leaked.
It's the engineer's job to treat tokens like the sensitive pieces of information they are. And it's the organization's responsibility to make sure engineers are following the necessary steps to make sure tokens and credentials are protected at all times.
Organizations need to know what public repositories the developers are using, says Richard Sutton, vice president of engineering at Nexgate, a division of security company Proofpoint. Slack allows team owners to restrict who can create integrations and tokens. In the case of Amazon Web Services and other platforms, developers should not be able to use administrator accounts. The generated keys should be restricted to specific roles and privileges the application needs.
Developers frequently are given free rein to create tokens and to commit code to public repositories. Organizations need to have a process for checking what is being committed into these repositories, as well as to track what kind of credentials developers are using in their applications. And developers need to remind their teammates that they shouldn't be pushing secrets to public repositories.
Sign up for CIO Asia eNewsletters.