Secret Scanning: Protecting Passwords, API Keys, OAuth Tokens, Private Keys

TL;DR:

• Data breaches are common due to stolen secrets like API keys.
• Secret scanning is crucial to prevent unauthorized access to sensitive data.
• Secrets can be found in various places beyond code repositories.
• Implementing secret scanning alongside best practices can reduce the risk of data breaches.
• Strac offers a comprehensive solution for secret scanning as part of their data loss prevention capabilities.

In today's digital landscape, data breaches are increasingly common, with a significant portion caused by stolen secrets and credentials, such as API keys. These keys are essential for accessing data and resources from other applications or services, facilitating communication between applications. For example, a weather app on your phone uses an API key to access the Weather Channel's data.

While API keys are crucial for modern software development, they pose a significant security risk. If an attacker steals an API key, they can access the protected data and resources. To mitigate this risk, organizations must adopt secret scanning as a vital part of their security strategy.

What is Secret Scanning?

Secret scanning is the practice of automatically scanning text and files for secrets, such as passwords or API keys. It is commonly applied to code, ensuring that secrets are not unintentionally included in repositories. Even if a repository is private, there is always a risk of unauthorized access, making secret scanning essential.

The Reality of Secret Sprawl

While scanning code is crucial, secrets can end up in various places beyond code repositories. Consider the following scenarios:

• Passwords shared in collaboration tools like Slack
• Engineers logging issues and bugs in platforms like Jira
• CSV files of password manager exports stored in Google Drive

‎These examples highlight the importance of a comprehensive secret scanning approach that extends beyond code.

Understanding the Risk

Secrets encompass a wide range of items, including:

• Passwords
• API keys
• Encryption keys (SSH, PGP, etc.)
• Certificates (SSL, TSL, etc.)
• Authentication tokens

Managing these secrets can be challenging. Reports, such as Verizon's 2022 Data Breach Investigations Report, indicate that nearly half of all attacks result from insecure credentials. Additionally, about 40% of businesses experienced an API key-related security incident last year.

Where to Scan for Secrets

Secrets can reside in various locations within an organization. Here are some key areas to focus on:

Code Repositories

Scanning code is the most obvious starting point. Conduct historical scans of committed code and ensure secrets are not hardcoded or included in configuration files.

SaaS Apps

Scan applications used across your organization's software development lifecycle (SDLC) or SaaS apps, such as:

• Ticketing systems (e.g., Jira, Linear)
• Knowledge management/wikis (e.g., Confluence)
• Bug tracking (e.g., Sentry, Bugsnag)
• Collaboration/chat (e.g., Slack, MS Teams)
• Support (e.g., Zendesk, Intercom, Zoho Desk)
• Email (e.g. Gmail, O365)
• CRM (e.g. Salesforce, Hubspot)

Observability Pipelines

Sensitive data can appear within observability platforms due to stack traces or other logging activities. Focus on:

• Observability & logging (e.g., Datadog, Fluent Bit, Splunk, Cribl)
• Data stores (e.g., Amazon RDS, S3, MongoDB, Kafka)

Identifying Secrets

Distinguishing secrets from regular data is challenging. There are three major detection methods:

• Regular Expressions (Regex): Searches for expected characters in a string but may struggle with variations.
• Entropy: Measures the complexity of a string, helping determine if it is a secret based on variability.
• Machine Learning: Uses algorithms trained on API key patterns and context to identify secrets without relying on specific indicators.

How to Implement Secret Scanning

Secret scanning can be conducted in multiple ways:

• At-Rest Scanning: Historical scans of full repositories and data at rest in SaaS applications.
• Real-Time Scanning: Scans new code push events in CI/CD processes and new data entered or changed in SaaS applications.

How Strac Can Help

Strac offers a comprehensive solution for secret scanning as part of our industry-leading data loss prevention (DLP) capabilities. Our platform is designed to discover, classify, and protect sensitive data, including secrets and credentials. Strac's best-in-class detection capabilities can identify active secrets, helping you prioritize remediation.

Strac integrates with popular SaaS applications like Slack, GitHub, Jira, Confluence, Google Drive, and more. Our developer platform allows easy integration with just a few lines of code, ensuring quick and efficient deployment.

Beyond Secret Scanning

In addition to secret scanning, organizations can adopt several best practices to protect secrets and credentials:

• Enforce Multi-Factor Authentication (MFA): Adds an extra layer of security, requiring a second factor for access.
• Use a Password Manager: Helps generate and securely store strong passwords.
• Implement a Key Management System: Encrypts and securely stores keys using services like AWS Secrets Manager or Hashicorp Vault.
• Encrypt Credentials & Secrets: Ensures that data is unreadable without the proper decryption key.
• Restrict Access Control Lists (ACLs): Limits access to sensitive data based on permissions.
• Employee Training & Coaching: Educates employees on security best practices to prevent accidental leaks.
• Develop a Password Policy: Sets rules for password creation and usage to enhance security.
• Regular Key Rotation: Periodically changes keys to minimize the impact of exposed secrets.

For a comprehensive list of policies and processes to enhance your organization's security, check out Strac's Security Playbook for Remote-first Organizations.

Secret scanning is a critical component of a robust security strategy. By implementing it alongside other best practices, organizations can significantly reduce the risk of data breaches and protect their valuable digital assets.