KCDC- Keeping Secrets Out of Your Pipeline
ggotimer
27 views
33 slides
Jun 28, 2024
Slide 1 of 33
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
About This Presentation
Commit your code, push a button, and everything is deployed – the Holy Grail of DevOps. Nobody has to type any commands or passwords to push your app live, everything lives in source control and it all just works.
Wait a second! My passwords are in source code? How did they get in there? How can I...
Slide Content
Keeping Secrets
Out of Your Pipeline
Gene Gotimer
Principal DevOps Engineer at Praeses, LLC
@OtherDevOpsGene
June 28, 2024 #KCDC2024
Out of Your Pipeline
Gene Gotimer
Principal DevOps Engineer at Praeses, LLC
@OtherDevOpsGene
June 28, 2024 #KCDC2024
The State of Secrets Sprawl Report
@OtherDevOpsGene #KCDC2024 2
https://www.gitguardian.com/state -of-secrets-sprawl-report-2024
@OtherDevOpsGene #KCDC2024 2
https://www.gitguardian.com/state -of-secrets-sprawl-report-2024
Secrets
@OtherDevOpsGene #KCDC2024 3
@OtherDevOpsGene #KCDC2024 3
What are secrets?
•Passwords
•Credentials
•API keys
•Signing keys
•SSH keys
•Access tokens
@OtherDevOpsGene #KCDC2024 4
•Passwords
•Credentials
•API keys
•Signing keys
•SSH keys
•Access tokens
@OtherDevOpsGene #KCDC2024 4
The scenario
•Working towards continuous delivery and DevOps
•Writing automated deployment code
•And writing automated tests
•So, you have credentials locally in your environment
•Pipeline needs those credentials as well
@OtherDevOpsGene #KCDC2024 5
•Working towards continuous delivery and DevOps
•Writing automated deployment code
•And writing automated tests
•So, you have credentials locally in your environment
•Pipeline needs those credentials as well
@OtherDevOpsGene #KCDC2024 5
Oops!
•File with the credentials gets included with source control
•“But I thought that repo was private”
•Keys get hard-coded, “just while we are testing”
•Permissions wide open so we don’t need credentials in dev
•Written to an issue ticket
•Packaged with a release
•Included in a Docker image
@OtherDevOpsGene #KCDC2024 6
•File with the credentials gets included with source control
•“But I thought that repo was private”
•Keys get hard-coded, “just while we are testing”
•Permissions wide open so we don’t need credentials in dev
•Written to an issue ticket
•Packaged with a release
•Included in a Docker image
@OtherDevOpsGene #KCDC2024 6
Detecting committed secrets
@OtherDevOpsGene #KCDC2024 7
@OtherDevOpsGene #KCDC2024 7
Some tools to try
TruffleHog OWASP WrongSecrets
@OtherDevOpsGene #KCDC2024 8
https://github.com/trufflesecurity/trufflehog https://github.com/OWASP/wrongsecrets
TruffleHog OWASP WrongSecrets
@OtherDevOpsGene #KCDC2024 8
https://github.com/trufflesecurity/trufflehog https://github.com/OWASP/wrongsecrets
Using TruffleHog
$ trufflehog github --repo https://github.com/OWASP/wrongsecrets \
--issue-comments --pr-comments
$ trufflehog github --org OtherDevOpsGene \
--issue-comments --pr-comments --gist-comments
$ trufflehog docker --image webgoat/webgoat-8.0:latest
$ trufflehog --help
@OtherDevOpsGene #KCDC2024 9
$ trufflehog github --repo https://github.com/OWASP/wrongsecrets \
--issue-comments --pr-comments
$ trufflehog github --org OtherDevOpsGene \
--issue-comments --pr-comments --gist-comments
$ trufflehog docker --image webgoat/webgoat-8.0:latest
$ trufflehog --help
@OtherDevOpsGene #KCDC2024 9
Found some. So now what?
1.Revoke the credentials
•Do not bother finding out first if anyone has seen them
•Assume they are compromised,
even when you are 100% sure it couldn’t happen
2.Plug the leak
3.Rotate the credentials- https://howtorotate.com/
@OtherDevOpsGene #KCDC2024 10
1.Revoke the credentials
•Do not bother finding out first if anyone has seen them
•Assume they are compromised,
even when you are 100% sure it couldn’t happen
2.Plug the leak
3.Rotate the credentials- https://howtorotate.com/
@OtherDevOpsGene #KCDC2024 10
What about just fixing the repo?
•Don’t
@OtherDevOpsGene #KCDC2024 11
•Don’t
@OtherDevOpsGene #KCDC2024 11
If you insist
$ git reset HEAD~ --soft # or HEAD@2 if it was two commits back
# Make your changes and commit the right stuff
$ git push origin --force
@OtherDevOpsGene #KCDC2024 12
$ git reset HEAD~ --soft # or HEAD@2 if it was two commits back
# Make your changes and commit the right stuff
$ git push origin --force
@OtherDevOpsGene #KCDC2024 12
Catch secrets before commit
@OtherDevOpsGene #KCDC2024 13
@OtherDevOpsGene #KCDC2024 13
pre-commit hooks
@OtherDevOpsGene #KCDC2024 14
https://pre-commit.com/
@OtherDevOpsGene #KCDC2024 14
https://pre-commit.com/
.pre-commit-config.yaml
repos:
- repo: https://github.com/trufflesecurity/trufflehog
rev: v3.78.2
hooks:
- id: trufflehog
stages: ["commit", "push"]
@OtherDevOpsGene #KCDC2024 15
repos:
- repo: https://github.com/trufflesecurity/trufflehog
rev: v3.78.2
hooks:
- id: trufflehog
stages: ["commit", "push"]
@OtherDevOpsGene #KCDC2024 15
Set up pre-commit hooks
$ pip install pre-commit # add -U to upgrade
$ pre-commit install
@OtherDevOpsGene #KCDC2024 16
$ pip install pre-commit # add -U to upgrade
$ pre-commit install
@OtherDevOpsGene #KCDC2024 16
Storing secrets secretly
@OtherDevOpsGene #KCDC2024 17
@OtherDevOpsGene #KCDC2024 17
HashiCorp Vault
open-source hosted service
@OtherDevOpsGene #KCDC2024 18
https://vaultproject.io/ https://hashicorp.com/products/vault
open-source hosted service
@OtherDevOpsGene #KCDC2024 18
https://vaultproject.io/ https://hashicorp.com/products/vault
AWS Secrets Manager
@OtherDevOpsGene #KCDC2024 19
https://aws.amazon.com/secrets -manager/
Similar to
Azure Key Vault
GCP Secret Manager
@OtherDevOpsGene #KCDC2024 19
https://aws.amazon.com/secrets -manager/
Similar to
Azure Key Vault
GCP Secret Manager
Avoiding secrets entirely
@OtherDevOpsGene #KCDC2024 20
@OtherDevOpsGene #KCDC2024 20
3 factors of authentication
•Something you know
•password
•Something you have
•authenticator app on smartphone
•smart card
•physical key
•Something you are
•fingerprint
•retinal scan
•other biometric method
@OtherDevOpsGene #KCDC2024 21
•Something you know
•password
•Something you have
•authenticator app on smartphone
•smart card
•physical key
•Something you are
•fingerprint
•retinal scan
•other biometric method
@OtherDevOpsGene #KCDC2024 21
AWS IAM Roles
•Scenario
•EC2 instance needs to access an RDS database
•Traditional solution
•Create username and password and store on EC2 instance
•Better solution
•Create username and password and store in AWS Secrets Manager
•Even better solution
•Assign IAM role to EC2 instance that has access to the RDS database
@OtherDevOpsGene #KCDC2024 22
•Scenario
•EC2 instance needs to access an RDS database
•Traditional solution
•Create username and password and store on EC2 instance
•Better solution
•Create username and password and store in AWS Secrets Manager
•Even better solution
•Assign IAM role to EC2 instance that has access to the RDS database
@OtherDevOpsGene #KCDC2024 22
Honeytokens
@OtherDevOpsGene #KCDC2024 23
@OtherDevOpsGene #KCDC2024 23
Honeypots
•Unused systems that look like valuable targets
•Aren’t referenced or linked to anywhere
•Deliberately vulnerable
•If someone accesses them, they are likely an attacker
•They can be tracked and/or blocked elsewhere
@OtherDevOpsGene #KCDC2024 24
•Unused systems that look like valuable targets
•Aren’t referenced or linked to anywhere
•Deliberately vulnerable
•If someone accesses them, they are likely an attacker
•They can be tracked and/or blocked elsewhere
@OtherDevOpsGene #KCDC2024 24
Honeytokens
•Similar to honeypots
•Unused, but valid-looking credentials, URLs, files, API keys
•Stored somewhere that should be secure
•private Git repo
•S3 bucket
•CI environment variable
•company Slack
•If someone tries to use them, they are likely an attacker
@OtherDevOpsGene #KCDC2024 25
•Similar to honeypots
•Unused, but valid-looking credentials, URLs, files, API keys
•Stored somewhere that should be secure
•private Git repo
•S3 bucket
•CI environment variable
•company Slack
•If someone tries to use them, they are likely an attacker
@OtherDevOpsGene #KCDC2024 25
Honeytoken providers
@OtherDevOpsGene #KCDC2024 26
https://canarytokens.org/
Alternatives:
•GitGuardian ggcanary
•SpaceSiren
https://github.com/GitGuardian/ggcanary
https://github.com/spacesiren/spacesiren
@OtherDevOpsGene #KCDC2024 26
https://canarytokens.org/
Alternatives:
•GitGuardian ggcanary
•SpaceSiren
https://github.com/GitGuardian/ggcanary
https://github.com/spacesiren/spacesiren
Someone found one. So now what?
•You know that your secure location has been compromised
•Anything you thought was secure in there is not
•Check permissions
•Rotate credentials
•Replace the honeytoken
@OtherDevOpsGene #KCDC2024 27
•You know that your secure location has been compromised
•Anything you thought was secure in there is not
•Check permissions
•Rotate credentials
•Replace the honeytoken
@OtherDevOpsGene #KCDC2024 27
Wrap up
@OtherDevOpsGene #KCDC2024 28
@OtherDevOpsGene #KCDC2024 28
Key takeaways
•Scan your code for secrets.
•Don’t let secrets into your code.
•Assume exposed secrets are compromised and rotate them.
•Immediately!
•Use a secrets-as-a-service solution.
•Use honeytokens to alert you to private areas being exposed.
@OtherDevOpsGene #KCDC2024 29
•Scan your code for secrets.
•Don’t let secrets into your code.
•Assume exposed secrets are compromised and rotate them.
•Immediately!
•Use a secrets-as-a-service solution.
•Use honeytokens to alert you to private areas being exposed.
@OtherDevOpsGene #KCDC2024 29
Tools
•TruffleHog- https://github.com/trufflesecurity/trufflehog
•How To Rotate- https://howtorotate.com/
•pre-commit- https://pre-commit.com/
•HCP Vault Secrets- https://hashicorp.com/products/vault
•AWS Secrets Manager- https://aws.amazon.com/secrets -manager/
•Canary Tokens- https://canarytokens.org/
•GitGuardian ggcanary- https://github.com/GitGuardian/ggcanary
•SpaceSiren- https://github.com/spacesiren/spacesiren
@OtherDevOpsGene #KCDC2024 30
•TruffleHog- https://github.com/trufflesecurity/trufflehog
•How To Rotate- https://howtorotate.com/
•pre-commit- https://pre-commit.com/
•HCP Vault Secrets- https://hashicorp.com/products/vault
•AWS Secrets Manager- https://aws.amazon.com/secrets -manager/
•Canary Tokens- https://canarytokens.org/
•GitGuardian ggcanary- https://github.com/GitGuardian/ggcanary
•SpaceSiren- https://github.com/spacesiren/spacesiren
@OtherDevOpsGene #KCDC2024 30
Sample apps
•OWASP WrongSecrets- https://github.com/OWASP/wrongsecrets
•lotr- https://github.com/OtherDevOpsGene/lotr
@OtherDevOpsGene #KCDC2024 31
•OWASP WrongSecrets- https://github.com/OWASP/wrongsecrets
•lotr- https://github.com/OtherDevOpsGene/lotr
@OtherDevOpsGene #KCDC2024 31
The State of Secrets Sprawl Report
@OtherDevOpsGene #KCDC2024 32
https://www.gitguardian.com/state -of-secrets-sprawl-report-2024
@OtherDevOpsGene #KCDC2024 32
https://www.gitguardian.com/state -of-secrets-sprawl-report-2024
Questions?
Gene Gotimer
Principal DevOps Engineer at Praeses, LLC
@OtherDevOpsGene
@OtherDevOpsGene #KCDC2024 33
Gene Gotimer
Principal DevOps Engineer at Praeses, LLC
@OtherDevOpsGene
@OtherDevOpsGene #KCDC2024 33
Tags
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 27
- Slides 33
- Age 521 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views