After hunting for security bugs I’ve realized clients I’m working with are not familiar enough (or at all) with basic “hacking” techniques. API keys, passwords, SSH encrypted keys, and certificates are all great mechanisms of protection, as long they are kept secret.
After hunting for security bugs I’ve realized clients I’m working with are not familiar enough (or at all) with basic “hacking” techniques. API keys, passwords, SSH encrypted keys, and certificates are all great mechanisms of protection, as long they are kept secret. Once they’re out in the wild, it doesn’t matter how complex the password is or what hash algorithm was used to encrypt it somewhere else. In this post, I’m going to share concepts, methods, and tools used by researchers both for finding secrets and exploiting them. I’ll also list mitigation action items that are simple to implement.
It’s important to mention that the attack & defend “game” is not an even one; an attacker only needs one successful attempt to get in, whereas the defender has to succeed 100% of the time. The hard part is knowing where to look. Once you can list your virtual “gates” through which hackers can find their way in, you can protect them with rather simple mechanisms. I believe their simplicity sometimes shadows their importance and makes a reason to be overlooked by many teams.
So here’s a quick and simple, yet not one to overlook TL;DR:
These are the 20% actions for 80% effect to prevent leaks and access-control holes.
API keys are all over the internet exposed to the world. This is a fact. Often times for no good reason. Developers forget them all around:
Blocks such as this one are all over the internet:
grep. In this instance, using truffleHog or the
trufflehog option in the
gf tool can find the high-entropy string that most API keys identify with. The same goes for searching
API_KEY as a string that yields results (too) many times.
Cybersecurity is a big concern for many companies. With data breaches happening more and more as attacks increase in sophistication, teams are looking at all of the options they have to prevent them.
This article discusses a more elaborate meaning of the two primary methodologies applied in the development cycles by software developers and operational engineers. By understanding what DevOps and DevSecOps are, we can then figure out and appreciate the significance of securing them. That way, the article can provide some of the applied security best practices.
Kelly Shortridge, a product and strategy expert in information security, has described how security should be treated as a product.
DevOps and Cloud computing are joined at the hip, now that fact is well appreciated by the organizations that engaged in SaaS cloud and developed applications in the Cloud. During the COVID crisis period, most of the organizations have started using cloud computing services and implementing a cloud-first strategy to establish their remote operations. Similarly, the extended DevOps strategy will make the development process more agile with automated test cases.
A couple of months ago we’ve heard about Docker and vulnerabilities found on some of their images. It’s easy to imagine what could happen if one of our applications would be running on one of those images.