The Poconos mountain region is most famous for its skiing and snowboarding. Located west of the hustle and bustle of New York City and north of Philadelphia, the Poconos are a quick drive from the hectic city life to some very peaceful rolling hills, natural beauty, and tourist attractions. While those are great reasons to visit, for a couple of hundred tech enthusiasts, those were all secondary to gathering in early November. They got together to share best practices and discuss how to build and scale applications securely as they got together for TechBash 2023.
One thing that sets TechBash apart is the family-friendly focus. Taking place at Poconos Kalahari Resort, home to one of the largest indoor waterparks in the US, attendees are encouraged to bring their families. The event's final day even had a family-friendly session track, which featured a live reptile encounter this year.
It would be impossible to share all the learnings and interesting discussions from the four days of the conference, but here are a few of the highlights.
GitHub Actions Tips and Tricks
The first day of TechBash offered multiple workshops. Among these sessions was "CI/CD with GitHub Actions," from Chris Ayers, Senior Customer Engineer at Microsoft. While it would be hard to jam all the lessons he taught into even a single blog post, there were a few key takeaways that stood out.
GitHub Actions is the continuous integration and continuous delivery, CI/CD, platform built into GitHub. You can build, test, and deploy your code all from the same place you likely already store it. It can also be leveraged for pull requests, allowing you to do all manner of testing and automation. Chris covered all the basics of setting up your own actions and showed off using GitHub's own training platform, GitHub Skills, which can take you from novice to experienced user very quickly.
One of the issues with testing your GitHub Actions automation is that it can be time-consuming. For any test, you need to trigger an action and wait for it to run. To solve this waiting game, he introduced Nektos Act, a free open source tool to test GitHub Actions locally using Docker. Chris said testing small changes locally saves him a lot of time when configuring a new action. Of course, we love GitHub Actions here at GitGuardian as well. It is straightforward to add ggshield scanning to GitHub Actions, allowing you to do a scan at every pull request to find hardcoded credentials.
Hands-on with Azure Key Vault
In his session "Using Azure Key Vault to Protect Your Application Secrets," Community Evangelist Joseph Guadagno, walked us through why we would want to use a vault, some key concepts, and shared some pro tips.
Azure Key Vault is the secure key management system built into Azure. In short, this tool lets you keep your secrets secret, which is a very good idea. With Key Vault, you can:
- Centralize application secrets
- Securely store secrets and keys
- Monitor access and use
- Simplify the administration of app secrets
There are three main object types in Key Vault. Understanding them demystifies the product a bit:
1. Keys - These are used to lock and unlock the secrets you will store in the vault. They can be used with hardware or certificate-based encryption methods.
2. Secrets - These are the text-based tokens, passwords, API keys, and other credentials you want to keep secret and out of your code.
3. Certificates - These are the signatures used for signing the keys. These ensure the keys are legitimate and should be allowed to access a secret.
You can interact with Keys, Certificates, and Secrets in Key Vault in a number of ways. He walked us through the Azure dashboard to create a new vault and populate it through a GUI interface. More interestingly, he used the Azure `az` CLI to accomplish the same tasks much faster. He said the real advantage here was you could automate processes with your own scripts leveraging `az`.
If automation is your goal though, then PowerShell might be a good approach. There is an Azure PowerShell plugin, a set of cmdlets for managing Azure resources directly, that can speed up your automation process.
His final tip was the "Secrets" menu inside the KeyVault dashboard. This is not to be confused with that other famous secret menu. From this interface, Azure can automatically create and suggest the needed code snippets for each known secret in the coding language of your choice. Shifting left has never been easier.
Want to get started with Azure Key Vault right now? Check out our tutorial: How to Handle Secrets with Azure Key Vault.
Balancing strategy and tactics
In his comic-book-themed presentation, "The Automation Firehose: Be Strategic and Tactical from" Red Green Refactor's founder, Thomas Haver walked us through the perils of automating from the developer's viewpoint. He said we need both strategy and tactics to succeed, especially in a world with too many OSes, service packs, and potential coding languages to list here.
Instead of focusing on testing everything, we need to focus on risk-based testing and persona testing. We should start by identifying the most significant threats to our revenue and organizations. Then, we should shift our focus to risks potentially impacting our most important customers. Only then can we ask the questions, "Should we automate?" and "If so, what do you automate?"
He said it is common to charge into a new project thinking, "I'm going to automate all the tests." He calls this the "automation firehose," and it is a challenge that stops a lot of teams. This approach of testing everything results in long-running tests that hinder delivery. It also produces tests that fail when trying to validate everything in one single test. He said he had seen 300+ step scripts in his lifetime, which all worked until they didn't, which is when they stopped being used and never got fixed.
A lot of the talk was around building up team processes. If someone has a good testing plan and never shares it, then no one will run that plan; communication is an essential part of any good testing plan. Your processes should be so well defined they become good habits. He ended with a quote from the legendary Martin Fowler on that subject: "I'm not a great programmer; I'm just a programmer with great habits."
Addressing phishing with passkeys
Phishing is a major problem affecting almost every company. It seems only to be getting worse, especially now in the era of smishing and vishing. In her talk, "The best secrets are the ones we keep to ourselves," Linda Ikechukwu, Developer Advocate at smallstep, shared that 90% of data breaches start with a phishing attack that steals users' credentials. Confirming what we saw in the Uber attack last year, she warned that multi-factor authentication can also be vulnerable to phishing.
Most of the conversations around stopping phishing attacks have centered on user training. While there are some excellent training tools out there for this, like the WithGoogle Phishing Quiz, training does not seem to be solving the issue. Linda believes that it's time to rethink how we do authentication.
According to her research, the future of phishing-resistant authentication is technologies that do not share or transmit sensitive credentials over the Internet. One approach already commonly used by developers is asymmetric cryptography. This is the basis for Public Key Cryptography, which involves a private key that is never shared and a public key used to verify the private key. While this has been common practice for developers for years to create SSH connections, it has only recently translated to the end users as a practical way to replace password use.
There are already a number of standards and approaches to accomplish this, including one from the Internet authority organization, W3C, called Webauthn. There is also the implementation standard FIDO2, from the FIDO Alliance. Both of these open specifications map out how to build passkey-based systems. She shared a fully working public demo that shows the approach in action, located at passkeys.io.
Webauthn relies on a central authority to manage certificates that are uniquely generated for the session. In this workflow, a user tries to log in and is met with an authorization challenge. The challenge is then sent to an Authenticator, where an authentication method like OpenID Connect or a hardware token is used to verify you are really you. The Authenticator issues a new key pair, storing the private key and signing the challenge in a way that can be easily verified. Once the challenge is answered and verified, the user is logged in. All this is done without ever entering a password.
There are some hurdles left to clear before we see broader adoption, though. While most modern browsers already support this approach, it is not yet universal. It is also still an emerging technology, meaning a lot of education will be needed to get developers to implement it widely. The account recovery path has not been formalized in the standards just yet and is yet another concern that needs to be addressed.
The good news is that there are already a lot of companies who have adopted this approach, with some writing articles about the journey. Linda also encouraged us to check with our SSO providers to ask about their available tools and suggestions for implementing passkeys to eliminate passwords.
Leveling up our skills and maturity as a community
GitGuardian was well represented as your author gave three talks throughout the event, all with one common theme: improving your code security practices. In each session, I was able to touch on the GitGuardian Secrets Maturity Model, which many teams are using as a roadmap to level up their code security around credentials. I also got to talk about the amazing tools OWASP makes available, such as their Security Champions Guidebook.
TechBash brought together developers from all backgrounds, focusing on a wide array of subjects. The one thing that united everyone there was the desire to improve. Each session, no matter how high level or technically deep, encouraged attendees to keep learning as technology advances, now driven ever faster by AI and LLMs. While many attendees did bring their own families, by the end, it really felt like we at TechBash had become a family connected by our love of tech and learning. If you are hoping to get in on this unique experience next year, they have already announced TechBash dates for September 2024.