BSidesSF 2023 - Stop Committing Your Secrets - Git Hooks To The Rescue! (Dwayne McDaniel)

so quickly um thanks for coming to my talk I only have 10 minutes for this um but if anybody wants a name tag I love name tags in a little school like that uh hit me up I got a whole roll of them and a marker happy to give you one that's unrelated to the talk um very happy to be here uh This Is A theater where I saw like a bunch of movies I used to live four blocks from here and super happy to be back in San Francisco but I live in Chicago these days and I've been develop been a developer Advocate since 2016-ish worked for a company called Pantheon when I got started in this game uh very very excited and passionate about tech but I also like things like rock and roll which wasn't on the broadcast but before I was talking about one of the bands from Oakland um hit me up about improv uh karaoke anything like related to rock and roll happy to talk to you about that stuff and hit me up on Twitter and I didn't put it on this one but I'm also on uh Mastodon Dwayne MC Dwayne mastodon.social quick question uh who here is a developer would say they call themselves a developer awesome this talk really is for you who here is a security operations professional awesome uh who here is in marketing and just happened to wander in here there's a couple people um any other titles I missed anything you think like hey you should know about my title just shout it out I can't see you auditor awesome thanks for being here architect oh yeah I would put you in the dev camp but yes definitely what's that sales perfect thank you for being here at this talk so I think no matter what your title is we can all agree this is a dumb idea you can have the best security in the planet you can build up your defensive walls all day build moats whatever but if you put a key to the front door out there people gonna get in and of course we're not gonna do that that's dumb right but we do this all the time I did this two weeks ago working on a CLI not even joking uh like I just I had to just test the API endpoint worked and it did and then I just oh I got to do this real quick oh and then I got a slack message from a boss and then I got this other thing to work on and by the time I go to commit this I forgot that I put this in here and then it makes its way out to the world I work for company called get Guardian uh didn't mention it earlier we got a booth over an abstract Village um the uh resume Village so go over there and talk to us about stuff but we put this report out every year um last year we found 10 million Secrets just hanging out in GitHub public repos that's just GitHub public we didn't look anywhere else um or at least not in the report uh this is a huge increase over the previous year and it's growing faster than the uh growth of GitHub so it's not just newbies it's not just people coming on for the first time and not knowing what they're doing this is affecting very large companies out there uh we could go through all these breaches and I'm happy to talk to you about any of these in depth and we have blog posts about all of those that's what it links to I'll share the slides out on Twitter after this uh so it's not just new people it's it's people of all all ranges so how do we fix this well there's a number of approaches but I think the core approach is to let's start using a tool we already use in a slightly different way then you might be already using it who here uses git anybody SVN get out of here you're not allowed in here um I'm kidding everybody's welcome uh but git is the stupid content tracker this is what gitster and Linus called it uh if you take man get that's what you get up on the screen um because it's dumb but it's also really efficient it takes an entire snapshot of the working directory at any given time every time you take do a git ad it's like let's take all those files and compress them down with zlib uh or yeah anyway um you can press them down push them into an index as a compressed file and then when you commit that it commits that through this chain of commits so your entire history is your entire history that's the magic of git that you can go back in time at any point and check out that particular reality but that also means that it's always there so if you add a secret and then take it back out and just in the next commit it's still there because you didn't take it out you need to actually execute and destroy that commit and that's just painful and there's ways to avoid putting it in there like get ignore um which is awesome except I'll just I don't have enough time to play The Guessing Game but yeah see I accidentally I accidentally commented out with EnV file so now I'm committing my EMV file and now I'm gonna share my secrets with the world and there are awesome awesome Solutions out there everyone should be using everyone should be using at least hashicort Vault or Doppler or something like that or if you're using a platform for your tooling something like Azure key Vault or aws's version of it or gcp's version of it or fill in the blanks version of it or even on server EnV files and if we'd all just do these two things consistently that would be it I wouldn't have to do this talk anymore and we could go about my life and I could do about something else with my with my brain but in we keep doing this and it's not that we tested the secret that's not I'm not here to shame anyone because again I did this two weeks ago this problem is that we then commit and push that secret out to the world once it's out there well then it's a really bad time because when we have to surgically remove it coordinate with the rest of the team communicate with everyone else that could have touched that repo but if we can catch it before we even commit it we don't really have a problem because we caught it locally that's what happened to me I caught it locally because I had a robot that does this so how did I get that robot to work well get gives us away there's this awesome automation platform that Linus built in because he wanted a way to execute scripts when certain things happened I think of it as a Rube Goldberg building device because it's any arbitrary script you want to build githooks there are 17 along the way if you take nothing else away from this entire talk go to get hooks.com it's beautiful it's a wonderful thank you very much Matt Hudson for doing your work uh but there are 17 uh you can hook into so pre-commit prepare commit message and commit message all happen before the commit actually finishes so if you can tell a script in the middle of that hey look for a secret and stop it there then it doesn't get committed but it's just a script so if you're not familiar with githooks they're just scripts I love bash I'm a huge bash nerd but if you want python or PHP for some reason a ruby or whatever executable environment you have you can tap into that this is real thanks Ed Thompson from npm and GitHub actions who wrote get Dad which substitutes a dad a substitutes get Dad forget ad and tells you a dad joke along the way that's where I stole the code which is just a curl um but if we're gonna build what I just talked about with that robot it would look something kind of like this uh get grep who here likes get crap anybody know about this inside of git they built grip it's just bash grub but it limits what it's looking at at the index and things that git knows about so it resolves that entire problem of how do I use grep to look at a thing it just looks there that's just what it does um anyway so we tell it hey look at this arbitrary um bit of regex because everybody loves writing regex right exactly all of it I just found out chat GPT can write fairly good regex and changed my life anyway um so we can build this all day but then we have a few things to worry about would all the use cases I need to deal with what about examples what about test files what about this what about that and then I have to maintain it unless this is your full-time job to build this thing there's a lot of work nobody got time for that so there's some open source people that already built this it's already there the code I showed you earlier is taken from well it's modified but taken from get Secrets right AWS Labs 100 open source go grab it and if you live breathe in all of your life is in AWS [Music] by somebody on the team uh who put it out there for free as an example and people have extended it you can go find for Google and Azure and other things um there's company trufflehog they're actually here as well um they are built open source first and they have Enterprise option these days their core tool as far as I can tell requires uses the pre-commit framework which is a python framework that builds pre-commit hooks um it's a cool tool on its own nothing against it just know that you have that extra layer of stuff we at get Guardian make GG Shield which is an open source tool it does require platform usage to actually do the scanning and the brains behind it uh but we get and get a free account there are other tools like get leaks out there that do the same thing so you're not on your own building this thing or running this thing or installing this thing in the case of GG Shield which is the one that saved me because that's what I run because while I work with you guys um it was three lines one two install it one to authenticate one to put the hook in place I don't think about it anymore it's just a global hook every time I do a commit it always checks every time even if I don't want it to which your mileage may vary you can always skip a hook if you want you shouldn't skip hooks you put them in place for a reason what does that look like in action it looks like this uh hey I got a secret over here I go and make a commit hey this looks like that now failed didn't give me the area it doesn't give me a commit now I can fix it my security teams happened with me because I didn't commit it I don't have to do surgical removal of the get repo later and all that surgery so in conclusion it's only 10 minutes don't hard code your secrets if you just stop doing that then the rest of this talk you can ignore uh don't commit your secrets but yeah we're human beings let's just be honest use automation to your advantage get builds in hooks you can do anything with it so why not do security with it if I had more time we could talk about all the other things you could plug in with Git hooks like anything any test tweet you ever wanted that you can run from a CLI but that's my talk and I'm out of time unfortunately so uh questions how do you make how do you make sure people install this uh well that's a good question there's the other side of this is the detection side of secrets in your environment and there are Suite of tools out there we're one of them um and if you end up with Secrets getting pushed by a developer then you know they didn't use it that's the short answer uh if Secrets show up and you have this strategy in place then you know who was accepted and who hasn't in their workflows that's uh other than that it's just asking onboarding um this is one of the reasons I personally love Cloud development environments is because you can pre-install them there and you can just give your developer like here's a URL everything you need including the git hooks already there other quick questions oh cool yeah yeah great question how does this differ from hashicorp Vault are the other tools those are secret managers so vault is a tool to store uh properly store and then programmatically call your credentials um programmatically so instead of password equals whatever your password is password equals Vault Dot something that whatever you called your secret um and it will it will Source it in so when your code leaks because it's not if when your code leaks a hacker or the attacker will see okay they use vault I'm not even gonna bother with this let's just Google into something else there's got to be a better way to get in can you done the server side absolutely um so back on hooks uh uh pre-receive but yeah pre-receive is a hook that runs on the server side and get and this is like out of the get book um so pre-receive is a hook that runs on the server side that will do whatever the script says you can install uh GG Shield um I think get Secrets out of an AWS uh for sure you can just set up his pre-received hooks and it will check the commit before it actually gets sent and if it's anything in order to shut it down I can't hear you man sorry well this is the thing it is a developer tools because they're using git locally so this is going to be dependent on the developer but again you can hook this in if you're if you're starting to go down the cloud development environment route you can pre-build it in there for your developers your onboarding or per per project um but yeah there's not a way to like globally unless you can globally enforce developer tools on all your developer machines if you can do that then you can do this but if if you don't have that superpower I don't know how you do that foreign the question was why isn't this automatically integrated into an IDE uh that's a great question but I think that same question can be asked about a lot of technology that I like um like it's like the lunting question all over again like lenting is the best idea until it's not and then you work around it and then your code gets messy one more yeah okay I got time for one more you just told me well thank you very much everybody I really appreciate you being here have a great rest of your b-sides