Secrets are intended to be hidden, or at least known only to a limited number of individuals (or systems). Otherwise they are not real secrets. In your personal life, revealing a secret can negatively affect your relationships, invite social stigma, or at least embarrass you. In the professional life of a developer or application security engineer, exposing secrets can lead to security breaches, data leaks, and even embarrassment. And while there are tools available for discovering source code and code repositories, there are few options for identifying secrets such as plain text, documents, emails, chat logs, content management systems, etc.
What is a secret?
In the context of applications, secrets are sensitive information such as passwords, API keys, cryptographic keys, and other sensitive data that your application needs to function but should not be exposed to unauthorized users. Secrets are typically stored securely and accessed programmatically by applications as needed.
Using secrets is an essential aspect of securing your application. Unauthorized access to these sensitive information can lead to security breaches and other malicious activities. To protect secrets, developers, system administrators, and security engineers use various security techniques such as encryption, secure storage, and access control mechanisms to ensure that only authorized users have access to secrets. to In addition, implement best practices such as rotating passwords and keys regularly and restricting access to secrets to only what your application needs to function.
Software supply chain secrets
Secrets are a key component of software supply chain security, from collaboration to deployment and everything in between.
Secrets such as access keys and passwords are often the only thing that stands between an attacker and sensitive data or systems. Therefore, it is essential to keep these secrets confidential and secure. Compromise of confidentiality can lead to catastrophic data breaches and can cause significant financial and reputational damage to an organization.
Secrets are often the target of software supply chain attacks. Attackers often target secrets to gain access to corporate systems, data, or servers. If these secrets were accidentally leaked to public sources, they could easily get their hands on them. Protecting secrets in software supply chain security is essential to prevent attackers from misusing secrets to compromise corporate systems and data. Good secret management helps prevent unauthorized access to critical systems and data and protects an organization from supply chain attacks.
How do you keep secrets secret?
To prevent secret leaks, you can adopt the following methods:
- Store secrets using environment variables. Instead of hard-coding secrets into your code, store secrets in environment variables. This makes it easier to manage secrets and prevents secrets from being accidentally committed to your code repository.
- Use a .gitignore file: Create a .gitignore file to exclude files containing secrets from being tracked by Git. This prevents confidential information from being accidentally committed to the code repository. If you follow #1 above, check if your secrets are stored in an environment variables file and that file is specified in your .gitignore.
- Use secret management tools: Secret management tools help you securely store and manage application or system secrets. This ensures that the secret is encrypted and accessible only to authorized users.
- Use encryption: Encrypt secrets before storing them in your code repository. This provides an additional layer of security and makes it more difficult for attackers to access sensitive information.
- Use two-factor authentication (2FA): Enable 2FA for your code repository to prevent unauthorized access. This adds an extra layer of security and makes it more difficult for attackers to gain unauthorized access to code repositories.
By following these best practices, you can prevent the inadvertent disclosure of sensitive information in your code repositories and source control managers. But what about other systems such as content management systems, plain text documents, email, chat logs, and other digital assets? no Are they stored in the repository?
Introducing “Too Many Secrets” by Checkmarx
Too Many Secrets (2MS) is an open source project aimed at protecting sensitive information such as passwords, credentials, and API keys from being exposed on public websites and communication services. 2MS currently supports Confluence and will be adding support for Discord soon. In addition, it can be easily extended to other communication and collaboration platforms.
Installing and running 2MS is very quick and easy. Built into Go, all you need to do is clone the repository, build the project, and run the binaries against your platform. Below is the list of commands I used to get it up and running on OSX (using Bash 5.1.16).
# go to brew install
# git clone https://github.com/Checkmarx/2ms.git
# cd 2ms
# go to build
# ./2ms –confluence https://
.atlassian.net/wiki –confluence-spaces –confluence-username –confluence-token
2MS is built on a secret detection engine (currently Gitriks) contains various plugins for interacting with popular platforms. This means that anyone in the open source community can contribute, improve and extend her 2MS very easily.
learn more
By working together, we Build a safer digital world. To learn more or download the project yourself, visit: https://github.com/Checkmarx/2msavailable on GitHub.
Note: This article was professionally written and contributed by Bryant Schuck, Product Manager Lead at Checkmarx.