Offensive security company Praetorian on Monday announced that it "open-sourced" the regular expression (RegEx) scanning capabilities of its Nosey Parker secret scanning tool.
Nosey Parker aims to address the pervasive issue of secrets disclosure in source code and configuration files where sensitive information such as passwords, API keys, access tokens, asymmetric private keys, and credentials exist on public repositories. By discovering these keys, attackers can gain access keys to additional systems in a corporate network.
“Since the release of Nosey Parker, we have continued to find hard coded secrets within client environments that are easily leveraged to access high-value assets, but until now, the remedial advice felt lackluster with procedural and policy-based recommendations, said Anthony Paimany, technical director for Praetorian,
In the months ahead, Praetorian users will also have the opportunity to explore or enumerate resources that appear on GitHub and other public repositories.
While there are no shortage of secret scanning tools, Nosey Parker has begun to set itself apart from the others, said Jerrod Piker, competitive intelligence analyst at Deep Instinct.
First, and most notably, Piker said Nosey Parker uses machine learning to enable successful identification of secrets that can’t be identified using pattern-matching static rulesets, and providing noise reduction to cut down on false positives. Also, Praetorian is currently testing the use of deep learning, the next iteration of machine learning, that promises even better signal-to-noise ratios and much faster scanning.
“The developers chose to use a deep learning model built on the premise of natural language processing, as this has been shown to have a high correlation with source code,” Piker said. “What makes this toolset very useful is that it automates the process of scanning and searching for secrets by combining pattern-matching with machine learning techniques to allow security practitioners avoid manually creating pattern-matching rules based on RegEx. And not only does it speed up and automate the process, but it is also much more accurate than a simple rules-based pattern-matching system.”
Security professionals know that threat actors are constantly combing public software repositories like GitHub for secrets such as usernames, passwords, API keys, and other credentials — and it’s a race against time, said Bud Broomhead, chief executive officer at Viakoo. Broomhead said tools such as Nosey Parker that can offer better speed and automation are an extremely valuable part of an overall cyber defenses.
“Security pros should test based on their own systems and code and compare to other solutions to ensure they achieve the level of speed, coverage, and accuracy they are looking for,” Broomhead said. “With more work from home and new software engineers entering the workforce every day there has naturally been more use of personal GitHub repositories for work projects where corporate secrets could get exposed. Training software engineers on the importance of using a secrets scanning solution on personal repositories can help reduce the possibly of corporate credentials being exploited.”