Code – a new attack vector with growing popularity has drastically accelerated the need for organizations to rethink their security practices and “shift left” from DevOps to DevSecOps to secure source code. Storing passwords and other credential information inside of code is far too common and is often the source behind hacks related to some large and publicly recognizable organizations.
- GitHub: According to ZDNet, more than 100,000 repositories were found leaking API and cryptographic keys over 6 months in 2019. 15 API token formats analyzed included those used by Google, Amazon, Twitter, Facebook, Mailchimp, MailGun, Stripe, Twilio, and Square. Worse, 81% of owners did not correct the issue: Code remains in cloned or forked repositories, as well as in Git history.
- Uber: An AWS S3 key posted in a private GitHub repository in 2016 resulted in a breach of rider/driver PII and a $100,000 attacker ransom was paid out as a bug bounty
- Equifax: Secrets found in a personal Git repository for web services allowed access to customer personal data in April, 2020
- Starbucks: A JumpCloud API key was leaked in January, 2020 allowed access to execute commands, add/remove system users, and AWS account takeover
Including passwords and API keys inside of source code repositories is a common occurrence regardless of whether a developer is following directions, trying to gain efficiencies, doesn’t understand the risks, or simply forgets after development and testing cycles. Machina can help prevent these mishaps and help enforce security processes by automatically protecting secrets during a quick scan performed before each commit via the source control versioning system’s hooks in conjunction with the Machina CLI.
Shifting Left – The DevSecOps Mantra
When we introduced Machina CLI, we outlined a potential use case that couples the Machina SDKs and CLI to close the gap between the security practices of product development and ops teams. As described by Bill LeBlanc, CTO of Ionic, “DevSecOps is ostensibly about making security part of your whole process, right from the beginning.” Simply put, shifting left is moving security to the earliest possible point in the development process. A typical organization’s software development and deployment cycle can usually be described with the ten stages illustrated below. This article, and its follow-up tutorial series, will help your organization get started protecting your code’s valuable assets as they are created, during the code phase.
Specifically, if an API key is required by an application and is checked into a hosted source control repository, such as Github, it can be protected by pre-commit hooks that invoke the Machina CLI. Then, if that application’s source code is later checked out, compiled by a build server or hosted continuous integration service like CircleCI, and deployed to a cloud computing platform like AWS or Google’s App Engine, the application can use Machina SDK to access the plaintext API key when it is needed at runtime.
The benefits of using Machina to secure source code secrets as they are created are not limited to the shifting left initiative. With Machina, you can limit and monitor the hosted or third-party services that have access to your API keys:
- The API key is not accessible by the system or service hosting the source repository, GitHub in this example.
- The API is also not accessible by the system or service hosting the build server, CircleCI in this example, because the encrypted API key from the source repository is compiled into the application bundle or binary.
- The API keys are never stored on disk in plaintext. The system running the application, AWS or App Engine in this example, will only store the key in plaintext in volatile memory when needed at runtime.
- For distributed client-side applications, not having the plaintext key in the application bundle adds a level of obfuscation to help combat reverse engineering tactics.
- The use of pre-commit hooks adds security without friction for the developer, who simply follows their normal routine to check code into a repository.
The tutorial shows how to use Machina to protect the key in a typical continuous integration workflow using a code repository to mimic the developer’s workstation and another to mimic the repository on a build server. If you are already considering using Machina to protect and track your application’s data and workflows, introducing the Machina CLI to secure source code during your development process is a next step to becoming a true security-first organization.