Amazon is updating its automated code review and profiler platform, CodeGuru, to detect confidential secrets in source code with a feature called Secrets Detector.
CodeGuru operates by scanning source code for defects and bugs using machine learning and suggests improvements to help developers overcome potential exploits and vulnerabilities to keep up with security best practices.
One particular best practice is to avoid hard-coding anything into the source that could reveal secret information about the system ,such as passwords, application programming interface keys, encryption keys and other credentials. These items can often accidentally be added to code out of convenience without regard for the danger of them being committed to a code repository.
Code repository commits mean these secrets are available to everyone on the team, which is not ideal for any sort of secret. It increases the chances that those secrets could be revealed to outside parties, or cause them to be leaked to the public. This can also become a problem if the code was intended to be published to an open-source repository in the public domain where the code is visible to everyone.
For example, ride-haling company Uber disclosed a major breach in 2017 that revealed the personal information of 57 million drivers had occurred because an employee had committed Amazon Web Services credentials to a GitHub repository. Once an attacker had broken into the repository and gained access to those credentials the hacker gained access to the entire treasure trove of that data just from that one password in the code.
With the Secrets Detector feature, CodeGuru uses machine learning to detect secrets during the code review process before it gets merged or deployed. That way developers can be warned there might be a hardcoded password. Once one is detected, steps to fixing the problem are suggested for securing the secret such as using AWS Secrets Manager, a service for automatically storing, rotating, managing and retrieving credentials and other secrets.
The detector can scan source code, configuration files and documentation for potential secrets including passwords, API keys, SSH keys and access tokens. CodeGuru’s new functionality is available at no additional cost and supports multiple integrations ,including AWS, Atlassian, Datadog, Databricks, GitHub, Hubspot, Mailchimp, Salesforce, SendGrid, Shopify, Slack, Stripe and many more.
The detection of secrets in code has become of ever-increasing importance with more companies looking for ways to prevent massive scale breaches such as happened to Uber. According to IBM Security’s Cost of Data Breach report from 2020, data breaches can cost companies an average of $3.9 million.
That has led to a rise in platforms providing management for infrastructure secrets. Examples include cybersecurity provider 1Password introducing its own Secrets Automation service in April to assist in the management of keys, tokens and other credentials. Dopper Inc. raised $6.5 million for its own secrets management platform in March, which uses a cloud-based interface.