CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

WrongSecrets demo - How not to store secrets with the project founder Jeroen Willemsen

Managing secrets can be difficult especially at scale.

In this video GitGuardian developer advocate, Mackenzie, chats with the maintainer and founder of OWASP WrongSecrets Jeroen Willemsen. The project is a fun gamified way to teach developers some of the worst practices when it comes to managing secrets and of course why those practices are bad. Jeroen also gives us a demo of the project to help you get started on the first few challenges.

Links

WrongSecrets project: https://github.com/commjoen/wrongsecrets

Heroku App: https://wrongsecrets.herokuapp.com/

Video Transcript

hello and uh welcome everyone to this video so i'm really excited that i'm here today with uh yurong villasmin so we've just spent uh a minute trying to get the pronunciation of the name right so hopefully hopefully i'm gonna turn to up but uh you don't think that the principal security architect uh exeiba uh but he's also a very active member and also volunteer in the owasp community and that's why i'm really excited to have him here because we're going to talk about a little project called wrong secret so welcome euron and uh maybe you can tell us a little bit about the the project uh wrong secrets of course well thank you very much and happy to be on the show mackenzie so um project wrong secrets is actually a funny little uh application which tries to provide different ways on how to not store secrets and that offer challenges to the user of the app and hopefully those challenges will help the user to reflect upon hey are we doing this right there on our own apps or are we making the same mistakes as this challenge yeah yeah i think it's a really cool way to do it because it's it's fun uh you know and it's not too complex but there's definitely some moments as you go through the challenges they're like ah maybe i just might check my project and make sure we've we've handled these correctly but it's not a it's not a very in-your-face way of doing it so i i really enjoyed going through those those challenges myself why why why was it that you decided to create this uh this project specifically so the history is a bit odd um i used to give talks for all day devops and at some point i was like okay what's the topic i would like to talk about what's topic that you really get more attention because that's basically what mark miller asked like okay what is there something you want to talk about with us and then i figured okay secrets management actually reflects in a very nice way how mature the security organization is because all the stuff you're doing basically gets reflected upon your secrets management the way you protect stuff the iem all the stuff around it so that's how the app started together with a huge actually one of the challenges packed in the app is actually well uh something that uh came from my conscience because as a young engineer i once was asked where do i put the private key of this and i was like okay then i advise my calling maybe you should put it in a darker container because otherwise it's hard-coded and ever since then i felt like okay that was the worst advice ever and luckily we corrected that over time um but ever since then i felt like okay yeah you could call yourself a security dude or whatever but as long as i'm saying this kind of thing so that's basically me um dealing with my past a bit and now you can enjoy that as well at some point we decided and we meet ben the han and i decided to create this to update this towards an almost project instead of a silly little app for some talks because we figured okay there's actually value in this and now we have to bring it to the masses and that's where lots of people stepped up to make this the beautiful little web app it is today just within just three months of time based on volunteer work yeah that's really cool i like what you say that uh your sequence management reflects how mature you are in your security uh within your organization your application i think this is so true and i think what people also don't realize is that managing secrets correctly is really difficult particularly at scale in an organization making sure that everyone is storing them correctly and it it can take such an innocent mistake that can be overlooked and the way that git works with the history and you may have a great code review process set up but if someone's been working on their own branch they've committed a secret removed it merged it then the review is probably not going to see it all these things so it's it's actually it's actually a really difficult uh problem and what i like about the project from secret is that we can actually unpack some of those difficulties starting quite basic and then getting more uh advanced because it makes you kind of actually realize that oh it's not just as easy as easy as putting them in a dot env file and adding a dot get ignore and jobs done there's more complexity to it definitely so yeah and and you mentioned another way is it just been the two of you working on this project so far or has we have have we kind of got some more traction from the community and and what's the future looking for this so when i started out the project for auto all the devops as in just a little sample project from our presentation already got help from nana bayer and uh benahan back then and once we started to really revive this project they helped tremendously again so they're really large bidders for this project and uh yeah really appreciated uh their work and then when we started to ask for help uh more people stepped up so we got three testers right now we're a bunch of other people that actually helped out with um uh showing what might be improved in an easy way um and other people like dimitri and philip also joined to contribute and currently there's about two or three other developers stepping up and that will file their pr soon i've seen some preliminary work which looks really promising so there's way more cool challenges ahead of us that will be implemented soon um and that's beautiful so yeah the community is growing already although we're just in month four of being an active ovus project um and that makes me really hopeful for the future of this project yeah for sure and has this been one of the first projects you've worked uh you know with oauth spin or has been a loving relationship for a while so i've been with almost for a while uh on and off to be honest uh before this i did a lot of work for well a lot i did some work for the mobile security testing guide the mobile application security verification standard uh with bernoullier svenslier and uh carlos olduguera and that was very nice because then we set up a lot of different things and of course just talk to many other project leads then which was really helpful for this project because all the best practices that we learned throughout these other projects and collaborating with other teams well if you know what to do it's fairly easy to set it up again um just you know it's not it's not literally copy pasting but just making sure you get the bare minimum working and just move ahead so that made it this easy to uh to get the project working yeah for sure i was it remains at it's been the gold standard for security guidelines for a long time and i think i don't think it's go it's going to lose its crown anytime soon for that although there are great resources coming out uh everywhere at the moment but um what i thought is that we've talked about it for a little bit it would be possible that we can have a little bit of a demo and see exactly what wrong secrets uh looks like when you're working through some of the challenges maybe okay sure all right so um here's my desktop and this is the heroku demo at uh wrong secret southerop.com um and this is basically where you uh where you land and there's a bunch of things telling about secrets and stuff so you get a bit of a context then there's a few challenges so there's docker-based challenges then there's challenges for which you need kubernetes or mini cube uh with kubernetes on top um there's challenges where you need cloud providers and if you run this same app according to the instructions of git what you'll find at github which is over here then you'll notice uh various instructions on okay how to run this on uber need this how to run this on um on aws how to read this on gcp how to run this on azure um so that's uh stuff being worked on um uh well let's just start with a few challenges i'd say so the first challenge is for instance um a docker-based challenge where um which actually which is good to know by the way that all the challenges currently implemented are challenges we actually saw during pen tests during code reviews during our normal security duties and most of the challenges that are set out as issues to be fixed later or to be created or ideas for future challenges are all based on real world scenarios so stuff we actually saw happening so it's not like what a dumb app how would you be so silly to do this though this has happened and therefore it's now a challenge um that's great i love that and like i said i'm one of the you know type of people that years ago actually was a re became a reason for challenge number four for instance so in that sense it's not really that um that's strange um we all learn a lot basically um so the first one is when people write a proof of concept uh then you often start having a hardcoded password in the code um and that may sound silly but you know if you have to authenticate towards an api where do i put the password for our first prototype well maybe in code because then i can test it you know otherwise i have no clue so then um the question is of course can you uh spot the the secret when we're looking in the code what about the container so we already see links to java and docker so if we click on java for instance then we go to our git repository now of course we can click through source and we can be very silly by just looking for password i mean what can seriously go wrong right um in this repository and then see a bunch of passwords everywhere but if it's really that hard coded hard coded then we pretty much should be looking for something that says uh that has some value to it so one way is going over this and going over the various results but we'll cheat a bit because i know what we're looking for so if you go to the source code to the java source code then you'll see a folder called challenges and over there we have for instance the docker folder with challenges and they're in challenge one we see that there's a reference towards uh something called constant stop password so what we have to find right now is that constants class to you know solve the problem so if we now go to um let's see to source main and i guess we'll have to find a constant and that should be somewhere over here as well ah there it is constants um then we see um two different things here so this is password so hey maybe this is the one right and as you can tell i did all my web so what you could actually do is try the first challenges on your mobile phone you don't necessarily need a computer it's just thinking clearly about what's happening and then try to solve it so now we go back over here just to show that this is actually working uh is this working if i submit it it says ah that's not right so okay apparently it actually needs an answer now if you submit it then we get well as you can tell this was indeed the right answer we get points for it um and um the idea is if you solve all challenges on a cloud environment you can get the full bar uh and we can weight the the score points per challenge in the future and very next to it is if you're still having trouble understanding what you have to do there's a hint page which you can follow and otherwise you could also take the docker container extract the jar file use something like gdgui or ajaxgui to just go over the files and then you'll find the class file with the password inside and you can just copy paste that and now of course you might ask yourself okay i found it why is this a problem i mean i just solved the challenge i'm getting points this is awesome that's why we have the what's wrong button which explains why this was a bad idea because obviously by now most of the listeners will realize that viewers will realize that hey if i can get that password that way everybody can right um so that's the way how to uh to solve that so that's one challenge um another nice challenge let's see that's number for instance challenge number three is um uh well you could also have for instance package something in your docker file like a password remember me the the private key well maybe there's a password inside so um an inf uh as well in docker containers to set the password um yeah you could easily spot the fact that these type of things are used if you run duckl on top of your docker contain docker container creation definition so you know what's going on but for those who want to do it a little bit more capture deflect type of style the link towards darker should be an explicit hint to you like hey maybe you should take a look over there and then in docker hub at the tax so for instance the latest it doesn't really matter which one you take because we built the container similar way do you see the steps taken to create the container and one of the things we do at some point is and docker and password well that is mildly strange isn't it maybe this is it you know literally this is it that's why we called it this is it apparently um and now let's try again let's submit that and again correct so another challenge solved basically and that way you can solve multiple challenges over time and find your way through i love i love this here we we recently did some uh scanning on docker hub to find you know what percentage of docker images contain secrets we found about seven percent contained secrets and we also found some really uh strange examples where you know they you've added in the you know your package manager password into the docker file and then later on they've removed it not realizing that the password in the layered earlier steps earlier is still exposed in there so you know because you can see how people think about this well oh i don't want that password in my docker image you know so i'll remove it in their docker file not realizing that actually all the steps you've taken are still there so this is a great a great example of showing exactly that in real life i love it [Music] so uh examples that will be upcoming not in the near future because we first have to work on some other stuff if you know what we promise and then we'll get back to this is for instance the bash history inside containers um we already have something like file inclusion i think that's i thought it was challenge number 12 is that we well we copied in the file which actually contains the password so although it's not in the layer directly uh visible the copy operation should tell already that stuff's in there that might not should be there uh you'll have similar problems of course when you say create docker file create docker container from this directory and then everything gets mounted in from that directory and then often we also see other secrets ending up over there so there's a lot of funny things that can go wrong with docker containers unfortunately or fortunately because it's fun frozen and stuff like that it depends on who you are i think i think there's been some stressful moments uh credit and you know and docker like kubernetes is one of these tools that uh not every you know there they can be a bit of a black box for the organizations not everyone in the organizations understands how how they work so they're actually quite easy to find these mistakes in in the real life because you know it's not as widely used as at all like git for example where people kind of fundamentally understand how it works doctor can kind of seem mystical at times we actually see the same thing it did unfortunately where people unfortunately still forget the fact that uh if you remove something in the next commit it doesn't mean that your previous commit got rewinded it just means you again layered stuff and that layering of things like you said earlier is is complicated um definitely and that's example one is such a great that challenge one is such a great example of that because when we're moving stuff we want to test out stuff we hard code credentials with the intention of setting them up as environment variables later but just to get things going you know and then you remove them you commit over it and then buried in your commit when you're finally ready to do a pull request you know merge to the master branch deep deep 100 commits back you have the first things that you did which was hard coding some secrets it's very difficult for a person to find them but an attacker an adversary that knows what they're looking for is going to be able to pull them out really quickly so exactly yeah yeah this is such a real project for me i i i was chuckling to myself the whole time when i was going through the challenges because about half of them i've done thank you thank you so much i really appreciate that i really appreciate that so um uh um yeah um uh of course i think this is also a great moment to shout out that if if you like the project and if you like to contribute let us know just get in touch with us um because it's like we said it's all uh volunteer based there's no um there's no backing or anything other than always generously helping us out with some cloud credits from every now and then so we can you know test our aws setup or gcp or azure setup but other than that it's just volunteers so any volunteers added to the army would be great yeah absolutely and how can people kind of reach out to you or reach out to the project is through github the best way or is you'll find a bunch of links over there at our uh at the beginning of the github repository we have ways so you can get into touch with us and that's the easiest way to get stuff going basically perfect that's so great now i do want to add just one final little disclaimer in here is that uh in wrong secrets there are links to tools that will help you find these but just in case you're a get guardian user and you wanted to cheat a little bit i do like to know that get guardian won't detect any of these secrets because it flags them as false positives so i just want to point that out in case anyone tries to scan the entire repository with get guardian wonders why the secrets aren't coming up it's just because we've been flagged as false positives but there are other tools that are mentioned in the project that you can use so that's just my my final disclaimer there there is a good thing to note that some of those tools had some of the iterations that docker contains because some secrets are generated every time again when we built a docker container and your cloud secrets for the cloud provider exercises are also generated dynamically every time you set up your cloud environment you get different secrets which is fun if you want to repeat the exercise we really know what you're doing and instead of you know playing around with stuff without being sure what's happening um but what it's good to notice is that sometimes these policies sometimes these uh tools that no longer detect it because for instance something we generated in the cloud environment for instance for challenge number nine has no longer enough entropy to be detected by the tool which makes the whole discussion about when is something a false positive a difficult one because um many tools and not just git guardian but many tools might have trouble detecting a password which is a simple sentence that by itself doesn't look to have a lot of entropy but was cleverly built by a developer that felt like hey that's easy for me to remember like you know with the password xkcd remember where we say okay battery staples whatever if we do something similar for our own passwords for apis or for the apis we consume that all of a sudden have the tools that is what we saw do no longer detect these passwords that's also why some of these passwords inner challenges are small sentences like this is it or something else which you'll find out once you open wrong secrets which are just not detected yeah it's definitely an interesting challenge especially when you're putting in your english words in there because you know when you're taking an api key is challenging in different ways but you know you're not expecting english words in there and if they are they're usually kind of prefix characters but when it comes to passwords then while the game changes and it's very complex and you have to you this is constant way up of do you want uh high recoil and low precision or do you want a high recoil and while you want high recoil high precision but how do you get that with these passwords so it's an interesting uh it's an interesting challenge you know and i think this project brings to light and will generate i think what's so great about this project it's going to generate discussion in lots of different areas amongst us how to store secrets properly uh how to be able to detect them how what is a strong password all of these kind of challenges this kind of brings up and creates conversations which makes it a powerful tool in the developer community in my opinion thank you well i'm so glad that you're able to spend some time and walk through this and uh i just thank you for for throwing through us please check out the project uh wrong secrets and let us know um let us know on twitter on github how you're going with the challenges it's going to be awesome and it's be great to be part of that discussion as well our long secrets if you have comments about it uh to try and bring more awareness to them so thanks euron and i appreciate your time again alright thank you so much for having me here i enjoyed it a lot thank you so much mackenzie