|
| 1 | +<p>Secret leaks often occur when a sensitive piece of authentication data is stored with the source code of an application. Considering the source |
| 2 | +code is intended to be deployed across multiple assets, including source code repositories or application hosting servers, the secrets might get |
| 3 | +exposed to an unintended audience.</p> |
1 | 4 | <h2>Why is this an issue?</h2>
|
2 |
| -<p>Azure Storage Account Keys are similar to the root password, allowing full access to Azure Storage Accounts.</p> |
3 |
| -<p>If the application interacts with Azure Cloud Storage services, access keys should be secured and not be disclosed.</p> |
4 |
| -<h2>Recommended Secure Coding Practices</h2> |
5 |
| -<p>Only administrators should have access to storage account keys. To authorize an application to access an Azure Storage, it’s recommended to create |
6 |
| -a service principal and assign it the required privileges only. <a |
7 |
| -href="https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-msi?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#authenticate-with-the-azure-identity-library">Azure |
8 |
| -Identity SDK</a> provides several options such as <em>DefaultAzureCredential</em> that can be used to retrieve secrets from, for instance, environment |
9 |
| -variables.</p> |
10 |
| -<p>Storage account keys should not be stored with the application code or saved anywhere in plain text accessible to others. Consider using an <a |
11 |
| -href="https://azure.microsoft.com/en-us/services/key-vault/">Azure Key Vault</a> to store and manage keys.</p> |
12 |
| -<p>When credentials are disclosed in the application code, consider them as compromised and rotate them immediately.</p> |
| 5 | +<p>In most cases, trust boundaries are violated when a secret is exposed in a source code repository or an uncontrolled deployment environment. |
| 6 | +Unintended people who don’t need to know the secret might get access to it. They might then be able to use it to gain unwanted access to associated |
| 7 | +services or resources.</p> |
| 8 | +<p>The trust issue can be more or less severe depending on the people’s role and entitlement.</p> |
| 9 | +<h3>What is the potential impact?</h3> |
| 10 | +<p>Azure Storage Account Keys are used to authenticate and authorize access to Azure Storage resources, such as blobs, queues, tables, and files. |
| 11 | +These keys are used to authenticate requests made against the storage account.</p> |
| 12 | +<p>If an Azure Storage Account Key is leaked to an unintended audience, it can pose a significant security risk to your Azure Storage account.</p> |
| 13 | +<p>An attacker with access to your storage account key can potentially access and modify all the data stored in your storage account. They can also |
| 14 | +create new resources, delete existing ones, and perform other actions that can compromise the integrity and confidentiality of your data.</p> |
| 15 | +<p>In addition, an attacker with access to your storage account key can also incur charges on your account by creating and using resources, which can |
| 16 | +result in unexpected billing charges.</p> |
| 17 | +<h2>How to fix it</h2> |
| 18 | +<p><strong>Revoke the secret</strong></p> |
| 19 | +<p>Revoke any leaked secrets and remove them from the application source code.</p> |
| 20 | +<p>Before revoking the secret, ensure that no other applications or processes is using it. Other usages of the secret will also be impacted when the |
| 21 | +secret is revoked.</p> |
| 22 | +<p><strong>Analyze recent secret use</strong></p> |
| 23 | +<p>When available, analyze authentication logs to identify any unintended or malicious use of the secret since its disclosure date. Doing this will |
| 24 | +allow determining if an attacker took advantage of the leaked secret and to what extent.</p> |
| 25 | +<p>This operation should be part of a global incident response process.</p> |
| 26 | +<p><strong>Use a secret vault</strong></p> |
| 27 | +<p>A secret vault should be used to generate and store the new secret. This will ensure the secret’s security and prevent any further unexpected |
| 28 | +disclosure.</p> |
| 29 | +<p>Depending on the development platform and the leaked secret type, multiple solutions are currently available.</p> |
| 30 | +<h3>Code examples</h3> |
| 31 | +<h4>Noncompliant code example</h4> |
| 32 | +<pre data-diff-id="1" data-diff-type="noncompliant"> |
| 33 | +props.set("storage_key", "4dVw+l0W8My+FwuZ08dWXn+gHxcmBtS7esLAQSrm6/Om3jeyUKKGMkfAh38kWZlItThQYsg31v23A0w/uVP4pg==") |
| 34 | +</pre> |
| 35 | +<h4>Compliant solution</h4> |
| 36 | +<pre data-diff-id="1" data-diff-type="compliant"> |
| 37 | +props.set("storage_key", System.getenv("STORAGE_KEY")) |
| 38 | +</pre> |
13 | 39 | <h2>Resources</h2>
|
| 40 | +<h3>Standards</h3> |
14 | 41 | <ul>
|
15 |
| - <li> <a href="https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/">OWASP Top 10 2021 Category A7</a> - Identification and |
16 |
| - Authentication Failures </li> |
17 |
| - <li> <a href="https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal">docs.microsoft.com</a> - Manage |
18 |
| - storage account access keys </li> |
19 |
| - <li> <a href="https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">OWASP Top 10 2017 Category A3</a> - Sensitive Data |
20 |
| - Exposure </li> |
21 |
| - <li> <a href="https://cwe.mitre.org/data/definitions/798">MITRE, CWE-798</a> - Use of Hard-coded Credentials </li> |
22 |
| - <li> <a href="https://cwe.mitre.org/data/definitions/259">MITRE, CWE-259</a> - Use of Hard-coded Password </li> |
23 |
| - <li> <a href="https://www.sans.org/top25-software-errors/#cat3">SANS Top 25</a> - Porous Defenses </li> |
| 42 | + <li> MITRE - <a href="https://cwe.mitre.org/data/definitions/798">CWE-798 - Use of Hard-coded Credentials</a> </li> |
| 43 | + <li> MITRE - <a href="https://cwe.mitre.org/data/definitions/259">CWE-259 - Use of Hard-coded Password</a> </li> |
| 44 | + <li> SANS - <a href="https://www.sans.org/top25-software-errors/#cat3">TOP 25 Most Dangerous Software Errors</a> </li> |
| 45 | +</ul> |
| 46 | +<h3>Documentation</h3> |
| 47 | +<ul> |
| 48 | + <li> Microsoft Documentation - <a href="https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal">Manage |
| 49 | + storage account access keys</a> </li> |
24 | 50 | </ul>
|
25 | 51 |
|
0 commit comments