Development Secrets....Shhhh It's a Secret
In this episode of ReversingGlass, Matt stresses the importance of not only finding secrets in software, but also identifying them so that development teams can efficiently mitigate potentially threatening secrets leaks.
- ReversingGlass: What the heck are secrets?
- Learn more: Secrets Exposed: The why, the how – and what to do about – secrets security in software
- Analysis: The CircleCI secrets hack was a red flag
MATT ROSE: Hi everyone, welcome back to another episode of ReversingGlass. I'm Matt Rose, Field CISO at ReversingLabs, and today's episode, if you haven't guessed by the top, is Shhh... it's a Secret. And what do I mean by that? It seems like everybody is talking about secrets these days. Hey, you gotta look for secrets in your application.
Hard coded passwords, all these type of things, because an application that's not self contained. It needs data, it needs functionality, and that's all interconnected with a secret. And I was thinking about secrets, and this thing popped in my head, how I like to do these type of things.
Everybody has a secret, and I want to ask people, how did we not figure out as a society, as a comic book fan, that Clark Kent was actually Superman? Look, am I a superhero? Now I took off my glasses. Oh, look, I'm no longer a superhero. Same thing with secrets. Are these secrets superheroes in your code?
And do they access interesting information, functionality, PII data, financial data, trade secrets? So let's just leave Mr. Clark Kent up there, also his alter ego of Superman, and thinking about secrets and how you should address secrets using different technologies. Because again, everybody's talking about them.
Number one is, what the heck does this secret do? The first thing you have to look at is, what is it doing? What is it accessing? Is it a secret for a database connection? Is it a secret to pull code from a code repo like GitHub? Is it something for your cloud service provider? What type of secret it is?
And secondly, if you're just reporting all these secrets, the last thing any development team or application security team really wants is a new list of risk. Like I scan my application, I do a little manual 'Sherlock Homing' of the application to find all these secrets. Are they important?
Are they dummy secrets? Are they canary secrets? Are they just in there for some sort of testing phase, but they don't actually access that information? So thinking about secrets. Okay, not just creating a list with a scanning technology or a manual process, but seeing if that secret actually works and is it important to me? Is Clark Kent important to me or is Superman more important to me... thinking about it that way.
ReversingLabs has this new approach, so we identify what the secret is, what type of secret, and then, guess what, we test it out. So if you get that secret, you can actually see if it does access specific information. What does it access? Because developers just don't want another list of things they have to look at.
Here's 10,000 secrets or even 100 secrets that you now have to vet out. Let a technology platform do that for you and vet whether, hey, I even care about this secret, is it accessing something interesting or is it actually useful? Maybe that secret has been changed somewhere else and it's hard coded in your code or some part of your application in terms of the infrastructure, but maybe it's been changed somewhere else.
And now that's a dead secret. So not only do we have to identify what secrets are and how they actually work, but are they actually working to connect to some sort of sensitive information. Do a little homework, do a little research on secrets of all the application security technologies that are out there.
How are they taking not just identification of secrets, but making it much more high fidelity in terms of information for the development staff? And again, it still bugs me that no one in the world or all the movies could just figure out that Superman and Clark Kent were the same just because he took off his glasses.
Hope you enjoyed the food for thought. I'm Matt Rose, Field CISO at ReversingLabs. And this is another episode of ReversingGlass. Take care, everyone.