Introducing Qwiet AI AutoFix! Reduce the time to secure code by 95% Read More

Software and application development has changed significantly with the introduction of cloud-based services. Historically, developers write code on local desktops or laptops, meaning attackers needed to compromise the physical device. Further, this limited malicious actors’ ability to compromise the entire source code because no single developer had it stored on their device in its entirety. With DevOps models, everyone on the team has access to source code so they can make changes to development, testing, and production environments. 

While collaborating across cloud platforms delivers products to market faster, it creates new security risks. As developers write more code, manual code reviews and security checks no longer adequately respond to these risks. For example, developers sharing code snippets when collaborating in public repositories may not realize that they exposed a secret, like an API key. Further, misconfigurations in CI/CD pipelines can expose secrets in plaintext, meaning that anyone who accesses logs also access the secrets. 

With secret scanning, developers can identify and remove secrets to enhance security. 

What is Secret Scanning?

Secret scanning tools automate the detection and identification of potential secrets within source code or other file formats by using: 

  • Predefined regular expressions (regex): character sequences that match a text pattern
  • Scanning rules: custom rules based on format, expression before the secret, expression describing the characters after the secret, and any additional user-defined characters or expressions 

Examples of secrets include:

  • API keys
  • Authentication tokens
  • Credentials
  • Private encryption keys
  • Digital certificates

Where to scan for secrets

To ensure comprehensive security, developers and DevOps teams should scan all potential risky locations across their codebase. 

Source code

While hardcoding secrets isn’t new, cloud-native applications and environments introduce significant risks. Developers may insert a block of code containing a secret to use when testing the app locally then forget to remove it. For example, a Python application’s source code may incorporate a database’s password so that it can easily connect with it. 

Configuration files

An application’s configuration files may store secrets stored locally that later get uploaded to the cloud. For example, a global git configuration file might store credentials when a developer uses the credential.helper

Additionally, file paths within configuration files identify where a file is located within the larger application’s file structure. Since they may trace back to internal or external resources, they can accidentally expose secrets.  

Environment variables

An application’s environment variables often store secrets which are easier to modify between deploys without impacting the source code. Since environment variables often remain in plaintext, this can lead to data leakage. For example, an environment variable may store an API key for a payment gateway. 

Container images

Docker containers can leak secrets when developers configure them with unencrypted environment variables, making them visible in plaintext. For example, a Docker container might obtain a root password to a MySQL database so that the software within the container can use the password. 

DevOps stack

The tools and services that the team uses can expose secrets. Since vendors often have different native secrets capabilities, the team may not be able to centrally and securely store, provide, and grant access to secrets. For example, the DevOps pipeline relies on machine-to-machine interactions which can expose secure shell (SSH) keys when technologies communicate with each other. 

When to scan for secrets

Since various parts of the development process can expose secrets, scanning for them needs to be implemented across build and runtime. 

Scanning in build

Secret scanning across the build process should help detect leaks in:

  • Files
  • Dependencies
  • Build scripts
  • Build configuration files
  • Package managers

Scanning at runtime

During the runtime phase, your application’s active request processing and code execution can expose secrets through:

  • Logging
  • Error messages
  • Connections to external services and databases
  • Authentication and authorization mechanisms

Qwiet AI: Build Secret Scanning into DevOps 

With Qwiet AI’s preZero platform, you get the depth of secret scanning necessary to protect your application. With our platform, you can identify secrets present in your source code and all included properties files. PreZero enables you to identify hard-coded values like username/password combinations and sensitive information like phone numbers and physical addresses. 

Using Qwiet AI, you can incorporate all vulnerability and secret scanning in one location for a comprehensive approach that shifts all application security left. 

Take our preZero platform for a free spin to see how Qwiet AI can help you identify shadow code. 

About ShiftLeft

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit: www.shiftleft.io.

Share

Read Next

AI Announcements Cybersecurity
April 29, 2024 4 min to read

The Qwiet AI Code Doctor Will See You Now – Introdu...

by Stuart McClure

Qwiet AI and the ancient Greek physicians like the father of medicine Hippocrates have much in common. Hippocrates highlighted the significance of a healthy diet and lifestyle in preventing diseases and acknowledged the root cause of physical and psychological ailments as diet and lifestyle choices (Διαιτήμασί in Greek), and now Qwiet AI is delivering his […]

READ MORE
AI Cybersecurity
April 29, 2024 10 min to read

Revolutionizing Vulnerability Detection and Patching

by Chetan Conikee

In the ever-evolving landscape of software development, ensuring the security of applications has become a paramount concern. As cyber threats continue to grow in sophistication, it is crucial for developers and security professionals to stay ahead of the curve. This article explores a groundbreaking approach that combines the power of Code Property Graphs (CPGs) and […]

READ MORE
Cybersecurity
April 22, 2024 6 min to read

What are the limitations of using ChatGPT to write code?

Love them or hate them, large language models (LLM) are here to stay. After opening the Pandora’s Box of ChatGPT in late 2022, everyone from developers to grandmas began using the tool to get the answers they wanted – and fast. As with every other new technology, ChatGPT created a new set of security risks, […]

READ MORE

Read Next

Cybersecurity
February 17, 2022 14 min to read

Node.js Vulnerability Cheatsheet

25 vulnerabilities to look out for in Node JS applications: Directory traversal, prototype pollution, XSSI, and more… Securing applications is not the easiest thing to do. An application has many components: server-side logic, client-side logic, data storage, data transportation, API, and more. With all these components to secure, building a secure application can seem really […]

READ MORE
Cybersecurity
March 15, 2022 7 min to read

Secure Software Summit: The State of OSS Supply Chain Sec...

  The Open Source Software (OSS) Supply Chain is under attack. As evidenced by the recent Log4Shell vulnerability, the OSS supply chain is increasingly a focus for attackers seeking to exploit weak links in security. A number of research reports have recorded a significant increase in so-called “next-gen software supply chain attacks” over the past […]

READ MORE
Cybersecurity
November 7, 2023 4 min to read

Safeguarding Your Web App: A Developer’s Guide to T...

Introduction Remote Code Execution (RCE) is a term every web developer should be intimately familiar with. It’s the dark cloud that could spell disaster for your meticulously crafted application. An RCE attack can lead to unauthorized access and manipulation of your application, giving attackers the leverage to exploit your system’s vulnerabilities. Let’s dive into the […]

READ MORE
Subscribe to newsletter
Privacy Policy Terms of Service © 2024 Qwiet. All rights reserved
Services
Company
Platform
Resources
Log In