1+ < p > Secret leaks often occur when a sensitive piece of authentication data is stored with the source code of an application. Considering the source
2+ code is intended to be deployed across multiple assets, including source code repositories or application hosting servers, the secrets might get
3+ exposed to an unintended audience.</ p >
14< h2 > Why is this an issue?</ h2 >
2- < p > A hard-coded secret has been found in your code. You should quickly list where this secret is used, revoke it, and then change it in every system
3- that uses it.</ p >
4- < p > Passwords, secrets, and any type of credentials should only be used to authenticate a single entity (a person or a system).</ p >
5- < p > If you allow third parties to authenticate as another system or person, they can impersonate legitimate identities and undermine trust within the
6- organization.< br > It does not matter if the impersonation is malicious: In either case, it is a clear breach of trust in the system, as the systems
7- involved falsely assume that the authenticated entity is who it claims to be.< br > The consequences can be catastrophic.</ p >
8- < p > Keeping credentials in plain text in a code base is tantamount to sharing that password with anyone who has access to the source code and runtime
9- servers.< br > Thus, it is a breach of trust, as these individuals have the ability to impersonate others.</ p >
10- < p > Secret management services are the most efficient tools to store credentials and protect the identities associated with them.< br > Cloud providers
11- and on-premise services can be used for this purpose.</ p >
12- < p > If storing credentials in a secret data management service is not possible, follow these guidelines:</ p >
13- < ul >
14- < li > Do not store credentials in a file that an excessive number of people can access.
15- < ul >
16- < li > For example, not in code, not in a spreadsheet, not on a sticky note, and not on a shared drive. </ li >
17- </ ul > </ li >
18- < li > Use the production operating system to protect password access control.
19- < ul >
20- < li > For example, in a file whose permissions are restricted and protected with chmod and chown. </ li >
21- </ ul > </ li >
22- </ ul >
23- < h3 > Noncompliant code example</ h3 >
24- < pre >
5+ < p > In most cases, trust boundaries are violated when a secret is exposed in a source code repository or an uncontrolled deployment environment.
6+ Unintended people who don’t need to know the secret might get access to it. They might then be able to use it to gain unwanted access to associated
7+ services or resources.</ p >
8+ < p > The trust issue can be more or less severe depending on the people’s role and entitlement.</ p >
9+ < h3 > What is the potential impact?</ h3 >
10+ < p > The consequences vary greatly depending on the situation and the secret-exposed audience. Still, two main scenarios should be considered.</ p >
11+ < h4 > Financial loss</ h4 >
12+ < p > Financial losses can occur when a secret is used to access a paid third-party-provided service and is disclosed as part of the source code of
13+ client applications. Having the secret, each user of the application will be able to use it without limit to use the third party service to their own
14+ need, including in a way that was not expected.</ p >
15+ < p > This additional use of the secret will lead to added costs with the service provider.</ p >
16+ < p > Moreover, when rate or volume limiting is set up on the provider side, this additional use can prevent the regular operation of the affected
17+ application. This might result in a partial denial of service for all the application’s users.</ p >
18+ < h4 > Application’s security downgrade</ h4 >
19+ < p > A downgrade can happen when the disclosed secret is used to protect security-sensitive assets or features of the application. Depending on the
20+ affected asset or feature, the practical impact can range from a sensitive information leak to a complete takeover of the application, its hosting
21+ server or another linked component.</ p >
22+ < p > For example, an application that would disclose a secret used to sign user authentication tokens would be at risk of user identity impersonation.
23+ An attacker accessing the leaked secret could sign session tokens for arbitrary users and take over their privileges and entitlements.</ p >
24+ < h2 > How to fix it</ h2 >
25+ < p > < strong > Revoke the secret</ strong > </ p >
26+ < p > Revoke any leaked secrets and remove them from the application source code.</ p >
27+ < p > Before revoking the secret, ensure that no other applications or processes are using it. Other usages of the secret will also be impacted when the
28+ secret is revoked.</ p >
29+ < p > < strong > Analyze recent secret use</ strong > </ p >
30+ < p > When available, analyze authentication logs to identify any unintended or malicious use of the secret since its disclosure date. Doing this will
31+ allow determining if an attacker took advantage of the leaked secret and to what extent.</ p >
32+ < p > This operation should be part of a global incident response process.</ p >
33+ < p > < strong > Use a secret vault</ strong > </ p >
34+ < p > A secret vault should be used to generate and store the new secret. This will ensure the secret’s security and prevent any further unexpected
35+ disclosure.</ p >
36+ < p > Depending on the development platform and the leaked secret type, multiple solutions are currently available.</ p >
37+ < h3 > Code examples</ h3 >
38+ < p > The following code example is noncompliant because it uses a hardcoded secret value.</ p >
39+ < h4 > Noncompliant code example</ h4 >
40+ < pre data-diff-id ="1 " data-diff-type ="noncompliant ">
2541from requests_oauthlib.oauth2_session import OAuth2Session
2642
2743scope = ['https://www.api.example.com/auth/example.data']
@@ -34,73 +50,44 @@ <h3>Noncompliant code example</h3>
3450token = oauth.fetch_token(
3551 'https://api.example.com/o/oauth2/token',
3652 client_secret='example_Password') # Noncompliant
37-
38- data = oauth.get('https://www.api.example.com/oauth2/v1/exampledata')
3953</ pre >
40- < h3 > Compliant solution</ h3 >
41- < p > Using < a href ="https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/secretsmanager "> AWS Secrets Manager</ a > :</ p >
42- < pre >
43- import boto3
54+ < h4 > Compliant solution</ h4 >
55+ < pre data-diff-id ="1 " data-diff-type ="compliant ">
56+ from os import environ
4457from requests_oauthlib.oauth2_session import OAuth2Session
4558
46- def get_client_secret():
47-
48- session = boto3.session.Session()
49- client = session.client(service_name='secretsmanager', region_name='eu-west-1')
50-
51- return client.get_secret_value(SecretId='example_oauth_secret_id')
52-
53- client_secret = get_client_secret()
5459scope = ['https://www.api.example.com/auth/example.data']
5560
5661oauth = OAuth2Session(
5762 'example_client_id',
5863 redirect_uri='https://callback.example.com/uri',
5964 scope=scope)
6065
61- token = oauth.fetch_token(
62- 'https://api.example.com/o/oauth2/token',
63- client_secret=client_secret)
64-
65- data = oauth.get('https://www.api.example.com/oauth2/v1/exampledata')
66- </ pre >
67- < p > Using < a href ="https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-java?tabs=azure-cli "> Azure Key Vault Secret</ a > :</ p >
68- < pre >
69- from azure.keyvault.secrets import SecretClient
70- from azure.identity import DefaultAzureCredential
71-
72- def get_client_secret():
73- vault_uri = "https://example.vault.azure.net"
74- credential = DefaultAzureCredential()
75- client = SecretClient(vault_url=vault_uri, credential=credential)
76-
77- return client.get_secret('example_oauth_secret_name')
78-
79- client_secret = get_client_secret()
80- scope = ['https://www.api.example.com/auth/example.data']
81-
82- oauth = OAuth2Session(
83- 'example_client_id',
84- redirect_uri='https://callback.example.com/uri',
85- scope=scope)
66+ password = environ.get('OAUTH_SECRET')
8667
8768token = oauth.fetch_token(
8869 'https://api.example.com/o/oauth2/token',
89- client_secret=client_secret)
90-
91- data = oauth.get('https://www.api.example.com/oauth2/v1/exampledata')
70+ client_secret=password)
9271</ pre >
72+ < h3 > How does this work?</ h3 >
73+ < p > While the noncompliant code example contains a hard-coded password, the compliant solution retrieves the secret’s value from its environment. This
74+ allows to have an environment-dependent secret value and avoids storing the password in the source code itself.</ p >
75+ < p > Depending on the application and its underlying infrastructure, how the secret gets added to the environment might change.</ p >
9376< h2 > Resources</ h2 >
77+ < h3 > Documentation</ h3 >
78+ < ul >
79+ < li > AWS Documentation - < a href ="https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html "> What is AWS Secrets Manager</ a > </ li >
80+ < li > Azure Documentation - < a href ="https://learn.microsoft.com/en-us/azure/key-vault/ "> Azure Key Vault</ a > </ li >
81+ < li > Google Cloud - < a href ="https://cloud.google.com/secret-manager/docs "> Secret Manager documentation</ a > </ li >
82+ < li > HashiCorp Developer - < a href ="https://developer.hashicorp.com/vault/docs "> Vault Documentation</ a > </ li >
83+ </ ul >
84+ < h3 > Standards</ h3 >
9485< ul >
95- < li > < a href ="https://aws.amazon.com/fr/secrets-manager/ "> AWS</ a > - Secret Manager </ li >
96- < li > < a href ="https://azure.microsoft.com/fr-fr/services/key-vault/ "> Azure</ a > - Key Vault </ li >
97- < li > < a href ="https://cloud.google.com/secret-manager "> GCP</ a > - Secret Manager </ li >
98- < li > < a href ="https://www.vaultproject.io/ "> Hashicorp Vault</ a > - Secret Management </ li >
99- < li > < a href ="https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/ "> OWASP Top 10 2021 Category A7</ a > - Identification and
100- Authentication Failures </ li >
101- < li > < a href ="https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication "> OWASP Top 10 2017 Category A2</ a > - Broken Authentication </ li >
102- < li > < a href ="https://cwe.mitre.org/data/definitions/798.html "> MITRE, CWE-798</ a > - Use of Hard-coded Credentials </ li >
103- < li > < a href ="https://cwe.mitre.org/data/definitions/259.html "> MITRE, CWE-259</ a > - Use of Hard-coded Password </ li >
104- < li > < a href ="https://wiki.sei.cmu.edu/confluence/x/OjdGBQ "> CERT, MSC03-J.</ a > - Never hard code sensitive information </ li >
86+ < li > OWASP - < a href ="https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/ "> Top 10 2021 - Category A7 - Identification and
87+ Authentication Failures</ a > </ li >
88+ < li > OWASP - < a href ="https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication "> Top 10 2017 - Category A2 - Broken Authentication</ a >
89+ </ li >
90+ < li > CWE - < a href ="https://cwe.mitre.org/data/definitions/798.html "> CWE-798 - Use of Hard-coded Credentials</ a > </ li >
91+ < li > CWE - < a href ="https://cwe.mitre.org/data/definitions/259.html "> CWE-259 - Use of Hard-coded Password</ a > </ li >
10592</ ul >
10693
0 commit comments