Page 72 - Cyber Defense eMagazine February 2024
P. 72

-   Auth0 Keys
               -   Azure Active Directory API Keys
               -   Database credentials for providers such as MongoDB, MySQL, and PostgreSQL.
               -   Dropbox Keys.
               -   Coinbase Credentials
               -   GitHub OAuth App Keys.
               -   SSH Credentials


            While it is tempting to focus on the larger numbers of total occurrences found, the secrets found to be
            valid pose the most immediate and critical threat. The researchers used ggshield, the GitGuardian CLI,
            for their research, which looks for over 400 types of secrets, both specific detectors and generic patterns,
            with a built validation process. Not all secrets can be checked for validity, but at the time the research
            was conducted in October 2023, over 190 specific types of credentials could be validated.

            It is important to note that just because a credential can not be validated does not mean it should be
            considered invalid. Some systems, such as Hashicorp Vault, Kubernetes clusters, Okta, or Splunk, do
            not yet offer a non-intrusive way to test if a credential is valid. Rather, you should think of these findings
            as divided into 'valid' and 'yet to be validated.'



            Work safely

            Here are some tips on how to avoid accidentally including secrets in your PyPI, or any other projects.


            *Avoid plaintext credentials in code

            If you never add a secret to your code, then there is no way for it to end up in your PyPI package. Easier
            said than done, we admit, but this is a skill just as valuable as avoiding infinite loops or stack overflows
            in your code. There are multiple tools that make it easy to programmatically call read-only values from
            files outside of version control, such as  `python-dotenv`.

            While a well-managed `.env` file is a practical solution, you can stay even safer by leveraging Cloud
            Secrets Managers, such as Azure Key Vault or AWS Secrets Manager. These secrets managers can be
            used to create and use secrets across cloud infrastructure, come standard with most modern cloud
            providers, and are very well documented.



            *Scan before you release

            Removing a secret from an uncommitted file is easy and very inexpensive. Removing that same secret
            from shared code is practically impossible and a time drain. We always want to 'shift left' and test early
            and often, especially when secrets are involved. Performing a secrets scan before you release, or before
            you  even  make  a  commit  is  the  most  cost-effective  way  to  ensure  a  secret  does  not  get  leaked.





            Cyber Defense eMagazine – February 2024 Edition                                                                                                                                                                                                          72
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
   67   68   69   70   71   72   73   74   75   76   77