Site icon TheWindowsUpdate.com

Secure Application Lifecycle – Part 1 – Using CredScan

This post has been republished via RSS; it originally appeared at: Core Infrastructure and Security Blog articles.

 

Cyber Security topic is one the most important topics in our mind when we develop application and systems on-perm or in cloud in general.

It is important to frequently perform and install security validations on applications. There are two important aspects for these security validations. First, developer should be able to detect any credentials or secrets in the code so developer can move them to a safe place. Also, DevOps and infrastructure team should be able to perform frequent security health checks on azure subscriptions.

In this series, I will go over very useful tools which help to improve the security of application and cloud resources. In Part 1, I will discuss CredScan. Part 2 will focus on secure DevOps Kit for Azure or AzSK and Part 3 will focus on Azure Sentinel and security health.

 

 

Managing Credentials in the Code with CredScan

 

The first aspect as we mentioned is the ability to detect any creds or secrets. Developer should be able to catch it before committing the code to Repo or during the pipeline process itself. 

We all know it is easy to leave credentials in the code, especially in large projects. Team can always try to check for credentials manually, but it is not recommended way to look for sensitive information.

Credential Scanner (aka CredScan) is a tool developed and maintained by Microsoft to identify credential leaks such as those in source code and configuration files. Some of the commonly found types of credentials are default passwords, SQL connection strings and Certificates with private keys.

There are two version of CredScan server and client side as it shows in the following diagram

 

The client side

It is extension and currently support VS 2017 and you can download it from here

After installing the extension then we are ready to code and build and if our code has certain credential, the tool will catch it as following.

 

The downside for the client side there is no extension for VS 2019 or VS code yet. As Alternative for developers who are interested in installing first line of defense for creds scanning please refer to my blog git secrets

 

CredScan Server Side implementation

In order to use the server side version, developer needs to include “CredScan Build” task in project pipeline. For more information about obtaining Microsoft Security Code Analysis Extension, please review this document.

 

In Azure DevOps, we can add the tasks in Classic build Editor, CredScan can be added direct using search box

 

 

After adding the task, developer or DevOps engineer can fill the detail of the task

Available options include:

 

In YAML Pipeline Editor, Here is example for CredScan YAML task.

 

 

parameters: pool: 'Hosted VS2017' jobName: 'credscan' displayName: Secret Scan jobs: - job: ${{ parameters.jobName }} pool: name: ${{ parameters.pool }} displayName: ${{ parameters.displayName }} steps: - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@2 displayName: 'Scan for Secrets' inputs: suppressionsFile: tools/credScan/suppress.json toolMajorVersion: V2 debugMode: false

 

 

 

After adding the task, the pipeline will pass successfully only after passing CredScan task.

 

Summary

In this Part 1, we discussed the important of implementing first line of defense against credential leak by using CredScan client-side extension or CredScan task. In the next blog I will explore using AzSK to secure DevOps.

Exit mobile version