Research from GitGuardian shows that, after gaining initial access, attackers often search for valid hard-coded credentials they can use for further lateral movement. Last year, hard-coded secrets made it 2nd to the OWASP Top 10 Web Application Security Risks. This year, the vulnerability gained a spot and now ranks 15th on the MITRE CWE Top 25 Most Dangerous Software Weaknesses. In an intriguing spin, GitGuardian is turning the vulnerability into an effective technique for detecting breaches as they unfold.
In their continued adoption of the cloud and modern software development practices, organizations are unknowingly expanding their attack surface. In lieu of poorly secured internet-facing assets and corporate networks, attackers are increasingly turning to components in the software supply chain like Continuous Integration and Continuous Deployment (CI/CD) pipelines as entry points.
Given the complexity of the software supply chain and the sprawling of DevOps tools, detecting compromise poses many challenges and is often achieved too late. To tackle this problem, security teams can use ggcanary to create and deploy canary tokens in the form of AWS secrets that will trigger alerts as soon as they are tampered with by attackers.
What separates this latest project by GitGuardian, ggcanary, from other detection intrusion systems is the following:
- The project is open-source and relies on Terraform, the popular infrastructure-as-code software tool by HashiCorp, to create and manage AWS canary tokens.
- Its intrusion detection is highly-sensitive – ggcanary uses AWS CloudTrail audit logs to track all types of actions performed on the canary tokens by attackers.
- A single ggcanary instance can scale up to 5,000 active AWS canary tokens deployed on the internal perimeter of an organization, in source code repositories, CI/CD tools, ticketing, and messaging systems such as Jira, Slack, or Microsoft teams.
- It ships with its own alerting system, integrated with AWS Simple Email Service (SES), Slack and SendGrid. Users can also extend it to forward alerts to SOCs, SIEMs, or ITSMs.
In the future and as adoption grows, GitGuardian will consider integrating ggcanary within GitGuardian Internal Monitoring, its end-to-end automated secrets detection and remediation platform. This result will enable users to create a safelist to bypass the detection of canary tokens, and in turn, avoid raising any alerts on the platform.
To learn more about the GitGuardian Canary Tokens project, ggcanary, please visit the official GitHub repository.
GitGuardian, founded in 2017 by Jérémy Thomas and Eric Fourrier, has rapidly emerged as the leader in automated secrets detection and is now focused on providing a comprehensive code security platform. The company has raised a $56M total investment to date from Eurazeo, Sapphire, Balderton, and notable tech entrepreneurs like Scott Chacon, co-founder of GitHub, and Solomon Hykes, co-founder of Docker.
GitGuardian helps organizations detect and fix vulnerabilities in source code at every step of the software development lifecycle. With GitGuardian’s policy engine, security teams can monitor and enforce rules across all their VCS, DevOps tools, and infrastructure-as-code configurations.
GitGuardian Internal Monitoring is an automated secrets detection and remediation platform. By reducing the risks of secrets exposure across the SDLC, GitGuardian helps software-driven organizations strengthen their overall security posture and comply with application security frameworks and standards. Its detection engine is trained against more than a billion public GitHub commits every year, and it covers 350+ types of secrets such as API keys, database connection strings, private keys, certificates, and more. The platform brings security and development teams together with automated remediation playbooks and collaboration features to resolve incidents fast and in full. By pulling developers closer to the remediation process, organizations can achieve shorter fix times.