Secure Steps with Begimher

Blog

  • It’s 2025. Why Are We Still Pushing API Keys to GitHub?

    It’s July 2025. We’re in an era of “vibe coding”, bringing incredible AI ideas to life faster than ever before. We’re building agents that can plan, reason, and interact with the world. And yet, somehow, we’re still tripping over the first and most basic hurdle: pushing API keys directly into public GitHub repositories.

    With the AI world gaining so much popularity, I felt like most builders had already understood the basics. The number one rule on that list? Don’t hardcode credentials in your codebase.

    Right now, those specific API keys for AI providers can mostly be used for regular API calls. Attackers can leverage them to interact with the LLM providers on your account. They can potentially exhaust your resources by hitting API limits or hike up your costs on a pay-as-you-go plan.

    But in the near future, the risk gets much bigger. More and more of these services will have external services connected to them. We are going in the direction of MCP servers, in-server integrations with external tools, and multi-agent systems. That means the API key isn’t just a key to a model anymore; it’s the key to the door of a personal email inbox or a sensitive database.

    Since it’s so easy to bring ideas to life with vibe coding, I decided to build a dashboard which will show you how bad it is.

    I call it AI Leak Watch. (You can see it here: https://ai-keys-leaks.begimher.com)

    A dashboard displaying the number of potentially exposed API keys for various AI providers, including Google Gemini, OpenAI, Anthropic Claude, and Perplexity.

    It’s a simple dashboard that does one thing: it scans GitHub for common AI key patterns and shows you the raw, unfiltered numbers. The very first scan found an overwhelming 189,600 potentially exposed keys for major AI providers.

    Disclaimer: This dashboard was created for educational purposes. I bet some of the keys it finds are not useable, but I also bet some of them are.

    So, how do we fix this? It’s not complicated, but it requires discipline.

    Protect Your Secrets at the Source

    Never, ever hardcode them. If you’re running something scrappy for a temporary local dev session, that’s fine. But that code should never, ever see a git push. If you think you might forget, don’t do it in the first place. Use a real secrets management service like HashiCorp Vault or AWS Secrets Manager.

    Build a Safety Net

    Assume mistakes will happen and plan for them. Use tools to catch secrets before they get exposed. You can scan your local code before you commit with solutions like my own ASH (Automated Security Helper). You should also rely on built-in platform features like GitHub’s native Secret Scanning and monitor your public environment continuously with open-source giants like TruffleHog.

    Educate Others

    Make this a non-negotiable part of your team’s culture. Teach other developers how to handle secrets properly.

    The world we’re building with AI is incredibly powerful. We’re teaching AI to build the future, but we can’t even teach ourselves not to leak our keys.

    Let’s work to bring down those numbers. Let’s give the AI we’re building a better example to learn from.

  • Building Your Cybersecurity Career Path: A Guide for Beginners

    Building Your Cybersecurity Career Path: A Guide for Beginners

    My younger brother recently reached out asking me for advice on breaking into the cybersecurity field and landing his first job. It got me thinking about how many people are trying to navigate this path right now. While waiting for my flight, I decided to turn our conversation into something that might help others who are in the same boat.

    I’ve spent over a decade in cybersecurity since I began back in 2012. My path has been varied. It covers network engineering, security design, penetration testing, and incident response. This includes investigating major national-level attacks. I have also worked in cloud security, application security, and security tool development. Most recently, I’ve been involved in research into the security implications of Generative AI.

    Cybersecurity is a constantly evolving and critical field. If you’re thinking about building your cybersecurity career, you are in the right place. Here’s my take on how to get started and build a successful career.

    1. Find Your Niche: What Area of Cybersecurity Calls to You?

    Cybersecurity isn’t monolithic; it’s a universe of specializations. Here are just some of the major paths you might consider:

    • Penetration Testing / Ethical Hacking: Finding vulnerabilities before the bad guys do.
    • Incident Response & Forensics: Being the first responders and investigators when breaches happen.
    • Cloud Security: Securing infrastructure and services in environments like AWS, Azure, and GCP.
    • Application Security (AppSec): Building and testing secure software.
    • Security Engineering/Architecture: Designing and implementing secure systems and networks.
    • Governance, Risk & Compliance (GRC): Establishing policies, managing risk, and ensuring adherence to standards.
    • Security Operations (SecOps): Monitoring systems, detecting threats, and managing security tools.

    And then there are the emerging frontiers, like AI Security. This involves securing the AI models themselves, protecting the data they use, defending against new types of threats (like adversarial attacks), and using AI to enhance security defenses.

    The field continues to expand with specializations like reverse engineering, IoT security, automotive security, and critical infrastructure protection.

    Explore these areas. Read articles, follow experts on social media, watch conference talks (DefCon, Black Hat, etc.), try introductory online labs (CTFs, TryHackMe). What problems do you find most interesting? What type of work gets you excited? Identifying that initial passion is key, as it will drive your learning.

    2. Work Backwards: Create Your Roadmap

    Once you have a general direction, you need a concrete plan. Just saying “I want to be a penetration tester” is inspiring, but it’s not actionable. My approach? Set a specific, measurable goal and work backward from there. I learned this firsthand when I decided to dive deep into penetration testing.

    I started by researching: What skills were essential? Which training was most effective? Which certifications truly demonstrated practical ability? The OSCP (Offensive Security Certified Professional) consistently came up as a highly respected, hands-on challenge. That became my target – my clear milestone.

    With the goal defined, I worked backward:

    1. Break Down the Knowledge: What did the OSCP actually demand? I dug into the requirements: network scanning, vulnerability analysis, buffer overflows, web application attacks, modifying exploits, privilege escalation… The list was specific, and it instantly became my personal study guide.
    2. Gather Your Resources: The official “Penetration Testing with Kali Linux” (PWK) course was the standard path, so I enrolled. My evenings and weekends became dedicated study time, grinding through the PWK labs. Look for official training, but also explore third-party resources, practice labs, and even opportunities to shadow experienced coworkers or contribute to relevant projects if you can. Real-world exposure is invaluable.
    3. Commit (Book the Exam!): This was the turning point for me. It’s one thing to study; it’s another to have that deadline looming. I booked the date for the OSCP exam. Knowing I had to gain root access on multiple target machines within 24 hours. There was no more “maybe later.”

    Passing that exam was incredibly challenging but immensely rewarding, and it solidified this “work backwards” method for me.

    Applying This to Your Journey:

    This approach applies to any skill you want to achieve:

    • Define Your Milestone: Pick a tangible objective. Like I did with OSCP, maybe it’s a specific certification (CompTIA PenTest+, eJPT, CKA/CKS, CISSP, etc.) or mastering a particular tool or technique. Make it specific and measurable.
    • Map the Required Knowledge: Break down what skills and information you need to achieve that milestone. What are the core concepts? What tools are involved? This forms your learning checklist.
    • Find Quality Resources: Identify the best training materials, courses, books, online communities, and critically, hands-on labs or projects for practice.
    • Commit to a Timeline: Enroll in the course, dedicate consistent study blocks, and seriously consider setting a deadline or booking that exam. It transforms intention into action.

    Working backward turns a vague ambition into a series of achievable steps, guiding you directly towards your goal.

    3. Envision Your Ideal Role: What Motivates You?

    Think about the kind of work environment and role that would truly engage you. When I first discovered cloud security, the potential of automation and APIs blew me away. The idea that complex security alerting, which used to require custom scripts, could now be handled by triggering a Lambda function from CloudWatch – that felt revolutionary!

    AWS was the clear leader, so I made it my goal to work there. My first application went nowhere. I didn’t let it stop me. I refined my skills, gained more experience, applied again, and got in. Five years later, I’m still learning and contributing here. Having a target – whether it’s a specific company, a type of role (consultant, engineer, researcher), or an industry – helps focus your efforts and keeps you motivated during the challenging learning phases.

    4. Master the Cutting Edge: Specialize and Stand Out

    The tech landscape doesn’t stand still, and neither should your skills. Staying ahead often means identifying and mastering emerging technologies before they become mainstream, especially from a security perspective.

    I experienced this directly with Kubernetes. A few years ago, I noticed developers and DevOps teams rapidly adopting it for container orchestration. It was powerful, flexible, and increasingly everywhere. But with that power came new complexities and security challenges. I realized that simply knowing about Kubernetes wasn’t enough; organizations needed people who knew how to secure it.

    My first step wasn’t actually security, though. It was understanding the technology itself. You can’t secure what you don’t understand. So, I decided to dive deep into Kubernetes fundamentals. I enrolled in the official Linux Foundation certification paths, specifically targeting the Certified Kubernetes Administrator (CKA) and later the Certified Kubernetes Security Specialist (CKS). This wasn’t just about passing exams; it involved countless hours in labs, breaking things, fixing them, and truly grasping how Kubernetes works under the hood.

    Only after building that foundational knowledge could I effectively layer on the security principles. Once I felt confident in my understanding and practical skills, I started sharing that knowledge, running presentations and workshops on building and maintaining secure Kubernetes environments. This early investment in understanding and securing a rapidly growing technology proved incredibly valuable.

    The core principle here is repeatable:

    1. Identify Emerging Tech: Look for technologies gaining significant traction and impact (like Kubernetes was, and like AI is now).
    2. Master the Fundamentals: Learn how the technology actually works before trying to secure it.
    3. Specialize in Security: Apply security principles specifically to that technology. Understand its unique attack surfaces, vulnerabilities, and mitigation strategies.
    4. Share & Lead: Become one of the go-to experts by sharing your knowledge.

    What’s the “Next Kubernetes” Today?

    Artificial Intelligence (AI) is undeniably a major force reshaping cybersecurity. It introduces powerful new tools for defense but also creates entirely new attack vectors and challenges. Specializing now in areas like:

    • Securing cloud platforms hosting AI/ML workloads.
    • Understanding and mitigating risks specific to Machine Learning models (like data poisoning, model evasion, or privacy breaches).
    • Leveraging AI/ML effectively and securely within security solutions (e.g., for advanced threat detection or automating incident response).
    • Addressing the unique security concerns around Generative AI and Large Language Models (LLMs).

    …positions you at the forefront. Find that next wave, learn it deeply, figure out its security implications, and you’ll not only stand out but also make a significant impact.

    5. Apply Your Skills: Solve Real Problems

    Theoretical knowledge is essential, but practical application makes you valuable. A year into my time at AWS, I encountered an inefficient process for security code reviews involving multiple tools and steps. Driven by a desire for efficiency (okay, maybe a bit of laziness!), I developed an internal script to automate and streamline the workflow. A few weeks later, it became popular in my org, then a few months later globally within Amazon. Nowadays, it’s also available as an open-source solution everyone can use to streamline code security scans. Check it out yourself: https://github.com/awslabs/automated-security-helper

    This wasn’t my main job function, but it solved a tangible problem using my security and scripting skills, and ultimately had a much wider impact. Look for similar chances to contribute. Can you automate a repetitive security task? Write a script to parse logs more effectively? Create a clear internal guide on a complex security topic? Document a security configuration standard? Think about how your solutions can also share knowledge effectively, creating resources to share your knowledge and help others to solve security problems at scale. Solving problems demonstrates initiative and reinforces your learning.

    6. Never Stop Learning: Iterate and Evolve

    You’ve found your initial niche, built skills, landed a job, maybe even started specializing in a hot area like AI security. Fantastic! But the journey doesn’t end there. Cybersecurity demands continuous learning.

    • Broaden Your Base: To be a great security expert, you need solid foundational knowledge. Understand networking, operating systems, databases, web applications, and cloud fundamentals. You can’t effectively secure Kubernetes without understanding containers and orchestration. You can’t truly tackle AI security without grasping the underlying AI/ML concepts and the infrastructure they run on.
    • Deepen Your Expertise: Keep learning within your chosen specialization(s). Technology changes, new vulnerabilities are found, and new defenses are developed daily.
    • Identify Gaps & Contribute: Be honest about areas where you need improvement. Pursue relevant certifications, take courses, attend workshops. Consider contributing to open-source security projects. This is a fantastic way to learn from others, build practical skills, add tangible achievements to your resume, and gain visibility within the community.
    • Push Your Boundaries: Don’t stay in your comfort zone. Take on challenging projects, mentor others, share your knowledge (write blog posts!), speak at local meetups. Growth requires stretching yourself.

    Final Thoughts

    Hopefully, these steps, following that chat with my brother, were helpful. Building a career in cybersecurity is incredibly rewarding – it’s a journey of continuous learning, practical application, and adapting.

    Ultimately, find what excites you, create your plan, get hands-on, and never stop learning.

    What are your thoughts or experiences starting out? Share them in the comments below!

    If you want to keep taking secure steps together and get more insights like this, subscribe to ‘Secure steps with Begimher’:

    And of course, feel free to connect personally.

    Best of luck!

    Daniel