In our last few articles, we focused on vulnerability scanning of hosts and containers in AWS ECS, Azure AKS, Google GKE, and Oracle OKE. In this post, we will discuss secrets management, another important aspect of cloud native security. We are releasing an open source tool called SecretScanner to detect secrets automatically in container images, VMs, and hosts.
Measuring your attack surface is the first step towards understanding the weaknesses in your infrastructure and protecting against them. Vulnerabilities form one important component of the attack surface, which the attackers can exploit to intrude into your infrastructure and applications. There is a lot of focus on vulnerability scanning and lot of tools are available to detect vulnerabilities. However, there are other important components of your attack surface like secrets. Currently, no open source tools are available to detect secrets in container images. That’s why we have built an open source tool — SecretScanner — to detect secrets that are stored in images inadvertently or through a design flaw.
What do we exactly mean by secrets? In the context of cybersecurity, secrets are any kind of sensitive or private data that gives authorized users permission to access their infrastructure (such as accounts, devices, network, and cloud based services), applications, storage, databases, and other kinds of critical data. For example, passwords, AWS access IDs, AWS secret access keys, Google OAuth Key, etc. are secrets. Secrets should be strictly kept private. However, sometimes attackers can easily access secrets due to flawed security policies or inadvertent mistakes by developers. Sometimes developers use default secrets or leave hard-coded secrets such as passwords, API keys, encryption keys, SSH keys, tokens, etc. in container images, especially during rapid development and deployments cycles in CI/CD pipeline. Sometimes users store passwords in plain text. Leakage of secrets to unauthorized entities can put your organization and infrastructure into serious security risk.
Managing secrets is a big challenge in DevOps and cloud environments due to myriads of tools and technologies being used. During this unprecedented pandemic times, when remote work culture is the new normal, remote access further exacerbates this issue and increases security risks due to mismanagement of secrets.
Secrets are as important as vulnerabilities from a cybersecurity point of view, as attackers can very easily get backdoor access into customer infrastructure and spread laterally to launch multi-stage attacks due to the leakage of secrets. Additionally, managing secrets such as passwords is one of the key requirements of some of the common compliance standards like NIST and HIPAA. Hence, it is imperative that organizations manage their secrets in a systematic way, similar to vulnerability management.
Secrets management is the process of managing the digital authentication credentials, both during transit and at rest, to protect them from unauthorized access. Organizations need to protect secrets from unauthorized access and manipulation during every stage of their lifecycle starting from creation and storage to rotation and revocation. We outline nine simple ways in which you can protect your secrets and prevent unauthorized access to your critical infrastructure and data.
We are currently analyzing the filenames including paths and the file contents based on regex patterns to find any potential secrets in container images. We provide a set of basic regex rules, which are configurable and expandable by users, to detect secrets. We are using hyperscan to match our regex patterns. Hyperscan allows us to exploit hardware features for fast scanning. Additionally, it also enables us to scan all the regex patterns at the same time making the secret scanning process super fast. We report details about the possible secrets found in various formats like JSON. For each secret found, we report a severity score in addition to the type of secrets found, the matched text, and regex patterns, etc. You can find a sample JSON output of our tool below.
Please contact us if you have any feedback on our new secret scanning tool.