Secrets are meant to be hidden or, at the very least, known only to a certain and limited group of individuals (or systems). Otherwise, it’s not really a secret. In private life, revealing secrets can damage relationships, create social stigma, or at the very least, embarrassment. In the professional life of a developer or application security engineer, the consequences of disclosing secrets can lead to security breaches, data leaks, and even embarrassment. And while there are tools available for detecting source code and code repositories, there are options for identifying secrets in plain text, documents, e-mails, chat logs, content management systems, and more.
What’s the Secret?
In the context of applications, secrets are sensitive information such as passwords, API keys, cryptographic keys and other confidential data that are required for applications to function but should not be exposed to unauthorized users. Secrets are usually stored securely and accessed programmatically by applications when needed.
Confidential use is an important aspect of securing applications. Unauthorized access to this sensitive information can lead to security breaches and other malicious activity. To protect secrets, developers, system administrators and security engineers use various security techniques such as encryption, secure storage and access control mechanisms to ensure that only authorized users can access them. In addition, they employ best practices such as rotating passwords and keys regularly and limiting the scope of access to secrets to only those necessary for the application to function.
Secrets in the Software Supply Chain
Secrets are a critical component of software supply chain security, spanning from collaboration to deployment, and everything in between.
Secrets, such as access keys or passwords, are often the only thing standing between an attacker and sensitive data or systems. Therefore, it is very important to maintain the confidentiality and security of this secret. When secrets are compromised, it can lead to a catastrophic data breach, which can cause significant financial and reputational damage to an organization.
Secrets are often the target of software supply chain attacks. Attackers often target secrets to gain access to corporate systems, data or servers. They can easily get hold of this secret if they mistakenly leak it to a public source. Keeping secrets in the security of the software supply chain is critical to ensure that attackers cannot exploit it to harm company systems and data. Proper confidential management can help prevent unauthorized access to critical systems and data, protecting organizations from supply chain attacks.
How Do You Keep Secrets Secrets?
To protect secrets from being leaked, you can implement the following practices:
- Use environment variables to store secrets: instead of hard-coding secrets in your code, store them in environment variables. This makes it easier to manage secrets and ensures that they are not accidentally tied to the code repository.
- Use .gitignore files: Create .gitignore files to exclude files containing secrets from being tracked by Git. This will prevent sensitive information from being accidentally pushed into the code repository. If following #1 above, ensure that if secrets are stored in an environment variables file, they are defined in .gitignore.
- Use confidential management tools: secret management tools can help securely store and manage application or system secrets. This ensures that secrets are encrypted and only accessible to authorized users.
- Use encryption: encrypt the secret before storing it in the code repository. This provides an extra layer of security and makes it more difficult for attackers to access sensitive information.
- Use two-factor authentication (2FA): Enable 2FA for the code repository to prevent unauthorized access. This adds an extra layer of security and makes it more difficult for an attacker to gain unauthorized access to the code repository.
By following these best practices, you can protect yourself from accidentally disclosing sensitive information in our code repository and source control maintainers. But what about other systems, such as content management systems, plain text documents, emails, chat logs and other digital assets No stored in repository?
Introducing Too Many Secrets by Checkmarx
Too Many Secrets (2MS) is an open source project dedicated to helping people protect their sensitive information such as passwords, credentials and API keys from appearing on public websites and communication services. 2MS supports Confluence today and we’ll be adding support for Discord soon. In addition, it is also easy to extend to other communication or collaboration platforms.
Installing and running 2MS is very fast and simple. Built on Go, all you need is to clone the repository, build the project and run the binary on your platform. Below is a list of commands I used to get up and running on OSX (using Bash 5.1.16):
# brew install go
# git clone https://github.com/Checkmarx/2ms.git
# go build
# ./2ms –confluence https://
.atlassian.net/wiki –confluence-spaces –confluence-username –confluence-token
2MS is built on a covert detection engine (currently gitleaks) and includes a variety of plugins to interact with popular platforms. This means anyone in the open-source community can contribute to, enhance, and extend 2MS easily.
Notes: This article was expertly written and contributed by Bryant Schuck, Product Manager Lead at Checkmarx.