Secure Application Lifecycle - Part 1 - Using CredScan

Published 12-14-2020 01:44 PM 3,279 Views
Microsoft

 

Cyber Security topic is one the most important topics in our mind when we develop application and systems on-perm or in cloud in general.

It is important to frequently perform and install security validations on applications. There are two important aspects for these security validations. First, developer should be able to detect any credentials or secrets in the code so developer can move them to a safe place. Also, DevOps and infrastructure team should be able to perform frequent security health checks on azure subscriptions.

In this series, I will go over very useful tools which help to improve the security of application and cloud resources. In Part 1, I will discuss CredScan. Part 2 will focus on secure DevOps Kit for Azure or AzSK and Part 3 will focus on Azure Sentinel and security health.

 

 

Managing Credentials in the Code with CredScan

 

The first aspect as we mentioned is the ability to detect any creds or secrets. Developer should be able to catch it before committing the code to Repo or during the pipeline process itself. 

We all know it is easy to leave credentials in the code, especially in large projects. Team can always try to check for credentials manually, but it is not recommended way to look for sensitive information.

Credential Scanner (aka CredScan) is a tool developed and maintained by Microsoft to identify credential leaks such as those in source code and configuration files. Some of the commonly found types of credentials are default passwords, SQL connection strings and Certificates with private keys.

There are two version of CredScan server and client side as it shows in the following diagram

 

Picture1.png

The client side

It is extension and currently support VS 2017 and you can download it from here

After installing the extension then we are ready to code and build and if our code has certain credential, the tool will catch it as following.

 

Picture2.png

The downside for the client side there is no extension for VS 2019 or VS code yet. As Alternative for developers who are interested in installing first line of defense for creds scanning please refer to my blog git secrets

 

CredScan Server Side implementation

In order to use the server side version, developer needs to include “CredScan Build” task in project pipeline. For more information about obtaining Microsoft Security Code Analysis Extension, please review this document.

 

In Azure DevOps, we can add the tasks in Classic build Editor, CredScan can be added direct using search box

 

Picture3.png

 

After adding the task, developer or DevOps engineer can fill the detail of the task

Available options include:

  • Display Name: Name of the Azure DevOps Task. The default value is Run Credential Scanner
  • Tool Major Version: Available values include CredScan V2CredScan V1. We recommend customers to use the CredScan V2 version.
  • Output Format: Available values include TSVCSVSARIF, and PREfast.
  • Tool Version: We recommend you select Latest.
  • Scan Folder: The repository folder to be scanned.
  • Searchers File Type: The options for locating the searchers file that is used for scanning.
  • Suppressions File: A JSON file can suppress issues in the output log. For more information about suppression scenarios, see the FAQ section of this article.
  • Verbose Output: Self-explanatory.
  • Batch Size: The number of concurrent threads used to run Credential Scanner. The default value is 20. Possible values range from 1 through 2,147,483,647.
  • Match Timeout: The amount of time in seconds to spend attempting a searcher match before abandoning the check.
  • File Scan Read Buffer Size: The size in bytes of the buffer used while content is read. The default value is 524,288.
  • Maximum File Scan Read Bytes: The maximum number of bytes to read from a file during content analysis. The default value is 104,857,600.
  • Control Options > Run this task: Specifies when the task will run. Select Custom conditions to specify more complex conditions.
  • Version: The build task version within Azure DevOps. This option isn't frequently used.

 

Picture4.png

In YAML Pipeline Editor, Here is example for CredScan YAML task.

 

 

parameters:
  pool: 'Hosted VS2017'
  jobName: 'credscan'
  displayName: Secret Scan

jobs:
- job: ${{ parameters.jobName }}
  pool:
    name: ${{ parameters.pool }}

  displayName: ${{ parameters.displayName }}

  steps:
  - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@2
    displayName: 'Scan for Secrets'
    inputs:
      suppressionsFile: tools/credScan/suppress.json
      toolMajorVersion: V2
      debugMode: false

 

 

 

After adding the task, the pipeline will pass successfully only after passing CredScan task.

 

Summary

In this Part 1, we discussed the important of implementing first line of defense against credential leak by using CredScan client-side extension or CredScan task. In the next blog I will explore using AzSK to secure DevOps.

%3CLINGO-SUB%20id%3D%22lingo-sub-1986960%22%20slang%3D%22en-US%22%3ESecure%20Application%20Lifecycle%20-%20Part%201%20-%20Using%20CredScan%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1986960%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECyber%20Security%20topic%20is%20one%20the%20most%20important%20topics%20in%20our%20mind%20when%20we%20develop%20application%20and%20systems%20on-perm%20or%20in%20cloud%20in%20general.%3C%2FP%3E%0A%3CP%3EIt%20is%20important%20to%20frequently%20perform%20and%20install%20security%20validations%20on%20applications.%20There%20are%20two%20important%20aspects%20for%20these%20security%20validations.%20First%2C%20developer%20should%20be%20able%20to%20detect%20any%20credentials%20or%20secrets%20in%20the%20code%20so%20developer%20can%20move%20them%20to%20a%20safe%20place.%20Also%2C%20DevOps%20and%20infrastructure%20team%20should%20be%20able%20to%20perform%20frequent%20security%20health%20checks%20on%20azure%20subscriptions.%3C%2FP%3E%0A%3CP%3EIn%20this%20series%2C%20I%20will%20go%20over%20very%20useful%20tools%20which%20help%20to%20improve%20the%20security%20of%20application%20and%20cloud%20resources.%20In%20Part%201%2C%20I%20will%20discuss%20CredScan.%20Part%202%20will%20focus%20on%20secure%20DevOps%20Kit%20for%20Azure%20or%20AzSK%20and%20Part%203%20will%20focus%20on%20Azure%20Sentinel%20and%20security%20health.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH4%20id%3D%22toc-hId--478771764%22%20id%3D%22toc-hId--478792849%22%3EManaging%20Credentials%20in%20the%20Code%20with%20CredScan%3C%2FH4%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20first%20aspect%20as%20we%20mentioned%20is%20the%20ability%20to%20detect%20any%20creds%20or%20secrets.%20Developer%20should%20be%20able%20to%20catch%20it%20before%20committing%20the%20code%20to%20Repo%20or%20during%20the%20pipeline%20process%20itself.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20all%20know%20it%20is%20easy%20to%20leave%20credentials%20in%20the%20code%2C%20especially%20in%20large%20projects.%20Team%20can%20always%20try%20to%20check%20for%20credentials%20manually%2C%20but%20it%20is%20not%20recommended%20way%20to%20look%20for%20sensitive%20information.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsecdevtools.azurewebsites.net%2Fhelpcredscan.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECredential%20Scanner%3C%2FA%3E%20(aka%20CredScan)%20is%20a%20tool%20developed%20and%20maintained%20by%20Microsoft%20to%20identify%20credential%20leaks%20such%20as%20those%20in%20source%20code%20and%20configuration%20files.%20Some%20of%20the%20commonly%20found%20types%20of%20credentials%20are%20default%20passwords%2C%20SQL%20connection%20strings%20and%20Certificates%20with%20private%20keys.%3C%2FP%3E%0A%3CP%3EThere%20are%20two%20version%20of%20CredScan%20server%20and%20client%20side%20as%20it%20shows%20in%20the%20following%20diagram%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Picture1.png%22%20style%3D%22width%3A%20558px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F240440i5E0EBD0C60C4B32A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture1.png%22%20alt%3D%22Picture1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH4%20id%3D%22toc-hId-2008741069%22%20id%3D%22toc-hId-2008719984%22%3EThe%20client%20side%3C%2FH4%3E%0A%3CP%3EIt%20is%20extension%20and%20currently%20support%20VS%202017%20and%20you%20can%20download%20it%20from%20%3CA%20href%3D%22https%3A%2F%2Fmarketplace.visualstudio.com%2Fitems%3FitemName%3DVSIDEDevOpsMSFT.ContinuousDeliveryToolsforVisualStudio%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EAfter%20installing%20the%20extension%20then%20we%20are%20ready%20to%20code%20and%20build%20and%20if%20our%20code%20has%20certain%20credential%2C%20the%20tool%20will%20catch%20it%20as%20following.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Picture2.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F240443iF080C9AEF1BDD594%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture2.png%22%20alt%3D%22Picture2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EThe%20downside%20for%20the%20client%20side%20there%20is%20no%20extension%20for%20VS%202019%20or%20VS%20code%20yet.%20As%20Alternative%20for%20developers%20who%20are%20interested%20in%20installing%20first%20line%20of%20defense%20for%20creds%20scanning%20please%20refer%20to%20my%20blog%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fcore-infrastructure-and-security%2Fpreventing-leaked-azure-secrets-in-github%2Fba-p%2F1400010%22%20target%3D%22_blank%22%3Egit%20secrets%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH4%20id%3D%22toc-hId-201286606%22%20id%3D%22toc-hId-201265521%22%3ECredScan%20Server%20Side%20implementation%3C%2FH4%3E%0A%3CP%3EIn%20order%20to%20use%20the%20server%20side%20version%2C%20developer%20needs%20to%20include%20%E2%80%9CCredScan%20Build%E2%80%9D%20task%20in%20project%20pipeline.%20For%20more%20information%20about%20obtaining%20Microsoft%20Security%20Code%20Analysis%20Extension%2C%20please%20review%20this%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity%2Fdevelop%2Fsecurity-code-analysis-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Edocument%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20Azure%20DevOps%2C%20we%20can%20add%20the%20tasks%20in%20Classic%20build%20Editor%2C%20CredScan%20can%20be%20added%20direct%20using%20search%20box%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Picture3.png%22%20style%3D%22width%3A%20476px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F240442iF32D8EB724AFC3F3%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture3.png%22%20alt%3D%22Picture3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAfter%20adding%20the%20task%2C%20developer%20or%20DevOps%20engineer%20can%20fill%20the%20detail%20of%20the%20task%3C%2FP%3E%0A%3CP%3EAvailable%20options%20include%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EDisplay%20Name%3C%2FSTRONG%3E%3A%20Name%20of%20the%20Azure%20DevOps%20Task.%20The%20default%20value%20is%20Run%20Credential%20Scanner%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3ETool%20Major%20Version%3C%2FSTRONG%3E%3A%20Available%20values%20include%26nbsp%3B%3CSTRONG%3ECredScan%20V2%3C%2FSTRONG%3E%2C%26nbsp%3B%3CSTRONG%3ECredScan%20V1%3C%2FSTRONG%3E.%20We%20recommend%20customers%20to%20use%20the%26nbsp%3B%3CSTRONG%3ECredScan%20V2%3C%2FSTRONG%3E%26nbsp%3Bversion.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EOutput%20Format%3C%2FSTRONG%3E%3A%20Available%20values%20include%26nbsp%3B%3CSTRONG%3ETSV%3C%2FSTRONG%3E%2C%26nbsp%3B%3CSTRONG%3ECSV%3C%2FSTRONG%3E%2C%26nbsp%3B%3CSTRONG%3ESARIF%3C%2FSTRONG%3E%2C%20and%26nbsp%3B%3CSTRONG%3EPREfast%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3ETool%20Version%3C%2FSTRONG%3E%3A%20We%20recommend%20you%20select%26nbsp%3B%3CSTRONG%3ELatest%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EScan%20Folder%3C%2FSTRONG%3E%3A%20The%20repository%20folder%20to%20be%20scanned.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3ESearchers%20File%20Type%3C%2FSTRONG%3E%3A%20The%20options%20for%20locating%20the%20searchers%20file%20that%20is%20used%20for%20scanning.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3ESuppressions%20File%3C%2FSTRONG%3E%3A%20A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fjson.org%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EJSON%3C%2FA%3E%26nbsp%3Bfile%20can%20suppress%20issues%20in%20the%20output%20log.%20For%20more%20information%20about%20suppression%20scenarios%2C%20see%20the%20FAQ%20section%20of%20this%20article.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EVerbose%20Output%3C%2FSTRONG%3E%3A%20Self-explanatory.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EBatch%20Size%3C%2FSTRONG%3E%3A%20The%20number%20of%20concurrent%20threads%20used%20to%20run%20Credential%20Scanner.%20The%20default%20value%20is%2020.%20Possible%20values%20range%20from%201%20through%202%2C147%2C483%2C647.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EMatch%20Timeout%3C%2FSTRONG%3E%3A%20The%20amount%20of%20time%20in%20seconds%20to%20spend%20attempting%20a%20searcher%20match%20before%20abandoning%20the%20check.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EFile%20Scan%20Read%20Buffer%20Size%3C%2FSTRONG%3E%3A%20The%20size%20in%20bytes%20of%20the%20buffer%20used%20while%20content%20is%20read.%20The%20default%20value%20is%20524%2C288.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EMaximum%20File%20Scan%20Read%20Bytes%3C%2FSTRONG%3E%3A%20The%20maximum%20number%20of%20bytes%20to%20read%20from%20a%20file%20during%20content%20analysis.%20The%20default%20value%20is%20104%2C857%2C600.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EControl%20Options%3C%2FSTRONG%3E%26nbsp%3B%26gt%3B%26nbsp%3B%3CSTRONG%3ERun%20this%20task%3C%2FSTRONG%3E%3A%20Specifies%20when%20the%20task%20will%20run.%20Select%26nbsp%3B%3CSTRONG%3ECustom%20conditions%3C%2FSTRONG%3E%26nbsp%3Bto%20specify%20more%20complex%20conditions.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EVersion%3C%2FSTRONG%3E%3A%20The%20build%20task%20version%20within%20Azure%20DevOps.%20This%20option%20isn't%20frequently%20used.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Picture4.png%22%20style%3D%22width%3A%20421px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F240441i2D913C87939DED86%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture4.png%22%20alt%3D%22Picture4.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EIn%20%3CSTRONG%3EYAML%3C%2FSTRONG%3E%20Pipeline%20Editor%2C%20Here%20is%20example%20for%20CredScan%20YAML%20task.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-yaml%22%3E%3CCODE%3Eparameters%3A%0A%20%20pool%3A%20'Hosted%20VS2017'%0A%20%20jobName%3A%20'credscan'%0A%20%20displayName%3A%20Secret%20Scan%0A%0Ajobs%3A%0A-%20job%3A%20%24%7B%7B%20parameters.jobName%20%7D%7D%0A%20%20pool%3A%0A%20%20%20%20name%3A%20%24%7B%7B%20parameters.pool%20%7D%7D%0A%0A%20%20displayName%3A%20%24%7B%7B%20parameters.displayName%20%7D%7D%0A%0A%20%20steps%3A%0A%20%20-%20task%3A%20securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan%402%0A%20%20%20%20displayName%3A%20'Scan%20for%20Secrets'%0A%20%20%20%20inputs%3A%0A%20%20%20%20%20%20suppressionsFile%3A%20tools%2FcredScan%2Fsuppress.json%0A%20%20%20%20%20%20toolMajorVersion%3A%20V2%0A%20%20%20%20%20%20debugMode%3A%20false%0A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAfter%20adding%20the%20task%2C%20the%20pipeline%20will%20pass%20successfully%20only%20after%20passing%20CredScan%20task.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH4%20id%3D%22toc-hId--1606167857%22%20id%3D%22toc-hId--1606188942%22%3ESummary%3C%2FH4%3E%0A%3CP%3EIn%20this%20Part%201%2C%20we%20discussed%20the%20important%20of%20implementing%20first%20line%20of%20defense%20against%20credential%20leak%20by%20using%20CredScan%20client-side%20extension%20or%20CredScan%20task.%20In%20the%20next%20blog%20I%20will%20explore%20using%20AzSK%20to%20secure%20DevOps.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1986960%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20is%20important%20to%20frequently%20perform%20and%20install%20security%20validations%20on%20applications.%20There%20are%20two%20important%20aspects%20for%20these%20security%20validations.%20First%2C%20developer%20should%20be%20able%20to%20detect%20any%20credentials%20or%20secrets%20in%20the%20code%20and%26nbsp%3Bbe%20able%20to%20perform%20frequent%20security%20health%20checks%20on%20azure%20subscriptions.%3C%2FP%3E%0A%3CP%3EIn%20this%20series%2C%20I%20will%20go%20over%20very%20useful%20tools%20which%20help%20to%20improve%20the%20security%20of%20application%20and%20cloud%20resources%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1986960%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMagdySalem%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎Dec 14 2020 01:47 PM
Updated by: