OWASP Global AppSec Lisbon 2024

The importance of safeguarding system credentials cannot be overstated in the realm of security. Unauthorized access to these credentials undermines the foundational principle of authentication and can lead to severe data breaches. It's essential to ensure that secrets are not embedded in source code, as security is only as strong as its weakest link.

 

This presentation covers the implementation of a robust secret detection system that leverages TruffleHog, an open-source tool, to perform scheduled and integrated preventive scans across GitHub and Azure DevOps repositories. The system is designed to scan on a scheduled basis and in response to specific triggers such as pull requests or pushes to specific branches, ensuring real-time detection and prevention of secret leaks.

 

The infrastructure, built using Terraform and cloud-based services, is capable of handling large-scale operations, scanning terabytes of data, and accommodating the unique challenges inherent in rolling out such a comprehensive initiative within an organizational framework.

 

At the end of this talk, attendees will have have learnt how to construct an efficient and automated secrets detection and prevention program at scale and secrets management strategies to help with remediation. The discussion will cover practical considerations for implementation, including the deployment of Infrastructure as Code (IaC), secret management strategies, and the integration of monitoring services. All of the knowledge shared in this talk will be applicable immediately after.