Skip to content

Instantly share code, notes, and snippets.

@kevherro

kevherro/security.md

Last active June 11, 2018 14:11
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save kevherro/1c22740698930e20d9249c0edb1ab7c4 to your computer and use it in GitHub Desktop.
Save kevherro/1c22740698930e20d9249c0edb1ab7c4 to your computer and use it in GitHub Desktop.
Download ZIP
Proactive post-mortem for aws security incident
Raw
security.md

Trufflehog

Trufflehog searches through git repositories for high entropy strings and secrets, digging deep into commit history

How it works: Trufflehog will go through the entire commit history of each branch, and check each diff from each commit, and check for secrets. This is both by regex and by entropy. For entropy checks, Trufflehog will evaluate the shannon entropy for both the base64 char set and hexidecimal char set for every blob of text greater than 20 characters comprised of those character sets in each diff. If at any point a high entropy string >20 characters is detected, it will print to the screen

+ Effective at finding secrets accidentally committed

+ Relatively easy to shove into a devops pipeline

+ Custom regexes can be added (things like s3 bucket detection)

+ Open source: we can contribute high signal regexes upstream that we think will benefit the community

- Searches the entire commit history of each branch. Ideally we want a tool to search for secrets before we initiate a PR so that if secrets do exist, they never make it to git

Could configure as part of a pre-commit git hook

GitHub Enterprise

GitHub Enterprise is the on-prem version of GitHub, which we can deploy and manage in our own, secure environment

+ Enterprise-grade security (exclusive to GitHub Enterprise). GitHub Enterprise operates on our infrastructure with our existing information security controls. Security features include:

  • User roles and access levels
  • Orgs and teams
  • Authentication
  • Ecrypted communications
  • Audit and access logging
  • VM security
  • Application security
  • Security patching and notifications
  • External services and support access

+ We can host it on our AWS infrastructure

+ Pre-receive hooks

+ 45-day free trial available

+ Benefits of GitHub Enterprise go beyond security

- Cost: $2,500 per 10 users/year. Definitely an investment for the long-term

- Getting some features we don't really need now. Could stay lean with another approach

- Irrelevant for public repos

Making the transition to GitHub Enterprise NOW will save us time in the long-run. We would spend considerably less time and resources switching today, as a small team, than we would later, as a much larger team

Developing an on-prem product commands that we practice and preach enterprise-grade security in-house. GitHub Enterprise provides the enterprise-grade security that we need

git-secrets

git-secrets prevents you from committing sensitive information to a git repo

How it works: git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repos. If a commit, commit message, or any commit in a --no-ff merge history matches one of your configured prohibited regular expression patterns, then the commit is rejected

+ Straightforward configuration

+ Verbose. When a secret is found, each matched line will be written with the name of the file that matched, a colon, the line number that matched, a colon, and then the line of text that matched

+ pre-commit, commit-msg, and prepare-commit-msg git hooks come out-of-box

+ Out-of-box support for AWS. Ability to add common AWS patterns to the git config and ensures that keys present in ~/.aws/credentials are not found in any commit

- Must be sure to test our patterns using ad-hoc calls to git secrets --scan $filename to ensure they are working as intended. Still need to do our due dilligence to ensure we do not commit secrets to a repo

- Hooks are not easily shared, as they are not part of the repository that other contributors copy. Each contributor will need to set this up on their own machines, which makes enforcement a more difficult problem

Seems like a good out-of-box solution that requires the least amount of work to set up

Action Steps

Short Term: I propose we take advantage of the out-of-box benefits of git-secrets. The benefits of straightforward configuration, custom regexes, and direct AWS support is just what we need. Although the downsides of ad-hoc testing and enforcement may present some holes moving forward, git-secrets will put us at a better position overall.

git-secrets could be added to the recommended githooks section of all of our project repositories.

Long Term: I propose we move our private code over to GitHub Enterprise. The benefits of GitHub Enterprise are endless. Not to mention, it's a good look for a company who is pioneering the enterprise software space. This means it is essential to practice what we preach.

Furthermore, moving to GitHub Enterprise now, as a small company, would use less time and resources than moving later, as a large company.

Resources

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment