I moved to application security from software development and we’re (including myself) all guilty of storing passwords, secrets, credentials in source control. Storing sensitive data in source control exposes it to everyone in your team, including contractors and temp developers. In addition, sometimes we make our repositories public and forget (we’re all humans at the end of the day) about the credentials we store in code, hence exposing our credentials to everyone.Attackers search GitHub for tokens & sensitive information, and it’s one of the most common ways of stealing credentials.Some teams use .gitignore to exclude credentials however this creates new challenges such as distributing all keys among team members, etc.We have been storing credentials in our source code not because we don’t know any better, but because there hasn’t been really a good service for us to use.I know the first concern you have is why on earth do I trust you with my most sensitive information? We use public/private key encryption, hence don’t even know what you store in your vault. It’s encrypted with your public key, and only you (as the private key owner) can decrypt it. This is similar to how password managers, such as 1Password and LastPass work.There’re other vaults available, but in order to use them, you still need to be familiar with security concepts, and they’re too complicated. Some of them won’t even let you use them, unless you engage with their stupid, sales team. Seriously?I’ve been working on building Vault as a Service for the past 2 years, and below are some of the features we already have:Easy to use, simple UIWe wanted to build something that’s beautiful, and super easy to use, hence our service comes with a simple, beautiful user interface. Security doesn't mean the UI supposed to be ugly!No sales team.You don’t (ever) need to talk to our sales team. We actually don’t have one. It’s free for all open-source projects.Key RotationEasy to change keys without ever making any changes in your source code, or deploying anything.Auto Key ExpirationSometimes we want keys that will be available for a short amount time. Or if there’s a key that’s not being used by any application for over X amount of time, we can automatically invalidate it. Attackers look for legacy systems initially, because these are the systems no one cares about. So if there’s a legacy application that’s no longer in use, we can automatically disable the keys for it.Key GenerationGenerating a secure key is not a trivial task. Our vault handles this for you, by simply asking “give me a secure key”.Detailed Audit LogsRemote Access ACLYou can make your vault accessible by only certain IP addresses which increases security. Even if someone steals your master key, they won’t be able to access your vault.Encryption as a ServiceEncrypting data is also not trivial, what key size to use? AES or RSA? Just ask your vault to encrypt your data securely, using industry standards! That easy.Namespaces / Multi ProjectsCreate/Manage vaults per project, namespace or application. Use different keys for your development, staging and production environments.Would you be interested in using it in your project? If so, please comment below and I’ll get in touch. Thank you!
Submitted October 29, 2019 at 03:59PM by redditchapter709
No comments:
Post a Comment