It has been reported today by several news outlets that there was a major security breach at Uber. The short story is, the intruders got access to an AWS account through an AWS Access Key and Secret Key stored in a Git repository, where they were stored in clear text. They were then able to get into instances that had access to databases storing sensitive data, and downloaded several million records worth of Personally Identifiable Information.
It’s scary to think about intruders accessing your data, but it’s totally preventable with some simple controls in place, so make sure you automate it away! Make checking for any potentials credentials in your repo part of your CI/CD Pipeline with a few tools that we recommend:
Git Secrets
The folks at AWS have put together an Open Source command line tool that has a number of built-in patterns that it looks for, and also allows you to specify your own regular expressions (search patterns) for looking through Git repository commits.
Gitrob
This tool will iterate over all public organization and member repositories and match filenames against a range of patterns for files, that typically contain sensitive or dangerous information.
Truffle Hog
Searches through git repositories for secrets, digging deep into commit history and branches. It runs high entropy checks on git diffs, and high signal regex checks have been added, as has the ability to suppress entropy checking.
Repo Supervisor
This serverless tool allows you to setup a webhook that waits for the Pull Requests and scans all interesting files to check for leaked secrets. Every time a Pull Request is updated it rescans the latest changes and generates a report.
Slack notifications are sent to the team with information about potential risks and interactive prompts allow the ability to say whether the item in question is a secret or not.
Click here to access the tool
Perfect security is the dream, and our Security Engineers make sure we stay on top of the latest technologies and are aware of common vulnerabilities that might impact our clients.
We know that there’s always ways to improve your existing workflow to tighten security controls in a way that doesn’t have to cause pain for your engineers. If you would like our engineers to evaluate your organization with an eye towards making sure this doesn’t happen to you, contact us at [email protected].
Have a Happy (and breach free) Thanksgiving!!!
StackOverdrive.io