►
From YouTube: What is the cost of a secret?
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Hey
there
welcome
to
the
webinar.
My
name
is
steve
jager,
I'm
a
developer
advocate
for
bridge
crew
and
in
this
show
we're
going
to
allow
you
to
sign
up
on
screen
what
is
the
cost
of
a
secret,
identifying
secrets
with
chekov
before
public
exposure?
As
I
said,
my
name
is
steve
jager,
I'm
a
developer
advocate.
That's
my
twitter
and
check
out
that
loose
lips
might
sink
ships.
I
found
that
that
is
some.
I
guess
you'd
call
it.
I
don't
know
if
we
call
it
propaganda.
A
I
guess
it
is
kind
of
called
that
from
world
war
ii
from
united
states
and
it
still
applies
today.
It's
interesting
that
information
leakage
can
cause
some
form
of
damage
regardless
of
the
context,
and
that's
what
we're
going
to
talk
about
today.
How
can
we
mitigate
the
damage
of
releasing
secrets
but
also
find
secrets
as
early
as
possible
in
our
software
supply
chain?
How
can
we
do
that?
So,
let's
go
for
it
all
right.
So
next,
let's
look
at
some
horror
stories,
starting
with
the
fear
as
always
right.
A
A
He
knew
that
the
wp
config,
which
is
kind
of
where
all
the
secrets
live
in
wordpress,
decide
what
you
want
about
that
from
a
security
perspective,
but
he
knew
that
was
a
bad
thing
to
push.
He
put
it
into
his
own
directory
added
it
to
the
get
ignore
all
good
things,
but
missed
one
critical
piece,
and
that
was
that
there
was
a
a
backup
mechanism
that
created
a
dot
saved
version
of
that.
A
That
was
not
in
the
get
ignore
that
got
into
aw
that
got
into
github,
sorry
and
within.
Well.
He
went
to
sleep
big
mistake,
doing
things
just
before
you,
you
go
to
bed
six
hours
later
wakes
up.
He
has
a
bill
from
aws
for
six
thousand.
He
was
running
600
ec2
server
instances.
He
normally
has
zero,
so
that
was
a
bit
of
a
giveaway
there
and
then
cleaning
things
up
was
an
absolute
mess
both
in
terms
of
aws
and
in
terms
of
github.
A
A
You
have
to
be
living
in
a
cave
to
not
have
heard
of
solar
winds,
intern
leaks
passwords.
They
always
blame
the
intern,
don't
they
solarwind,
ceo,
testifying
in
front
of
congress.
This
is
not
what
you
want.
You
do
not
want
to
ever
find
yourself
testifying
in
front
of
congress.
That
probably
means
that
your
breach
was
significant,
but
in
this
case
a
an
intern
leaked,
an
internal
password
which
you
normally
think
would
be
safe
right.
So
if
we
move
this
way,
you
can
see
the
solarwinds
password
solarwinds123.
A
A
They
it
matters
internal
passwords
matter
as
well,
but
that's
probably
for
another
webinar
all
right,
let's
move!
So
what
is
a
secret?
Let's,
let's
expand
our
definition
of
that.
If
we
go
back
to
these
guys
here,
the
hackers
cult
slash
almost
comedy
film
from
the
90s
now
when
they
you
can
see
it
like
on
the
weird
lighting
on
their
faces.
Above
me,
love
god,
secret
password
had
to
be
in
there.
Surely
these
were
the
we
obviously
were
not
paying
brute
forcing
let's
say
brute,
forcing
was
pretty
easy
back
in
the
90s
you're.
A
Not
that
are
you
a
skilled
hacker?
Really,
it
probably
seemed
pretty
easy
back
then.
Now,
though,
it
probably
doesn't
look
much
better.
This
was
from
a
report
from
dashlane,
I
believe
it
was,
or
one
password
or
lastpass
or
a
password
management
company.
They
released
their
every
year.
They
released
their
top
passwords.
2021
number
one
was
one
two,
three
four
five
six
passwords
in
there
qwerties
in
there,
so
I'm
just
kidding
solarwinds
one.
Two
three
was
not
in
there,
but
you
get
the
idea.
These
are
all
very
simple,
passwords
and
you're.
A
Probably
thinking
I
don't
use
path,
does
anybody
use
password?
Can
you
even
use
password
anymore,
because
there's
so
many
constraints
around
what
you
can
do,
I'm
sure
these
are
legacy
right?
That's
why
they're
still
there,
but
we
haven't,
we
really
haven't
human
nature-
has
made
it
so
that
we
never
learn
right.
That's
what
we
do.
That's
our
that's!
What
we're
best
at
not
learning!
A
Now
what
we
do
instead
of
writing
password
is
we
capitalize
the
p
or
maybe
we
add
special
character,
or
perhaps
we
add
a
zero
or
we
add
a
one
or
we
put
an
exclamation
point
on
the
end
and
that's
good
right.
No
one's
gonna
figure
that
out
that's
crazy,
complicated,
oh,
but
then
the
my
organization
makes
me
change
the
password
every
month.
So
I'm
okay,
I
can
say
all
right
got
it,
so
that's
kind
of
what
we
do
now.
A
So
why
would
we
expect
anything
better
in
the
future
now
to
make
matters
more
complicated
when
we're
talking
about
secrets,
automation
needs
passwords
now,
so
now
we
have
generated
passwords
and
those
can
be
really
messy
like
if
we
look
at
a
shot.
256
of
that
word
password
one,
it's
a
big
messy,
complicated
thing,
and
when
we
look
at
that,
we're
like
oh
okay.
A
Well,
what
am
I
going
to
do
with
that?
What
if
you
had
to
use
that
as
you're
creating
automation?
What
if
you're
writing
some
code
and
ansible
you're,
creating
something
in
terraform,
and
you
need
that
to
provision
something
or
to
create
something
or
configure
something?
What
do
you
do
with
it?
Well,
your
first
instinct
would
be
like
well
I'll.
Just
do
I
hard
card
you
as
soon
as
you
say,
hard
code,
that's
like
a
swear
word
in
programming.
Isn't
it
the
h
word
hard
coding,
so
you
don't
want
to
do
that.
A
You
need
some
kind
of
strategy
for
your
secrets.
You
need
a
supply
chain
for
the
secrets
themselves
that
keeps
them
private
and
that
is
a
whole
other
problem.
So
let's
talk
a
little
bit
more
about
that.
Let's
get
dive
in
secrets.
Are
passwords,
so
we're
still
in
familiar
territory,
but
what
they
represent
in
the
real
world
is
database
credentials,
encryption,
keys,
api
keys,
ssh
tokens.
That
is
not
an
exhaustive
list
right,
I'm
sure
you
realize
that
and
how
do
they
get
revealed
publicly?
Well,
we
saw
those
two
examples.
A
You
can
just
forget
to
add
files
to
your
git
ignore
by
accident
or
just
simply
through
ignorance.
You
can
hard
code
them
into
a
container
image.
That's
there's
lots
of
ways
that
container
images
can
give
away
secrets,
not
just
that
one.
We
can
do
a
whole
webinar
on
that
you
can
cut
development
corners
by
temporarily
hard
coding,
your
credentials
into
something
temporarily
you're
going
to
remove
them.
It's
fine
right!
I'm
not
saying
I've
done
that
personally
recently,
even
though
I
know
when
I'm
doing
a
webinar
on
this,
I
have
made
that
mistake.
It's
easy!
A
Finally,
committing
infrastructures
code
templates
like
terraform
cloud
formation,
many
are
available
into
your
github
with
the
credentials
inside,
and
this
is
very,
very
easy
to
do
and
you're,
probably
even
thinking
how
could
that
even
be
possible,
and
you
might
be
asking
the
question:
what
is
infrastructure
as
code?
Okay,
it's
possible
you're
thinking.
A
Can
you
just
do
a
quick
definition
of
that
and
I
will
do
that.
One
slide.
A
one
slide.
Infrastructure
is
code,
so
you
want
to
provision
things
at
scale.
You
don't
want
to
do
it
manually.
That
is
a
massive
pain,
so
you
could
there's
many
formats
of
code
for
doing
this
and
there's
many
types
or
styles
of
doing
this.
So
there
is
procedural
and
that's
probably
very
familiar.
The
example
of
that
would
be
ansible
and
then
there's
declarative
and
a
good
example
of
that
would
be
terraform
or
kubernetes
yaml.
A
What
does
that
look
like
in
an
abstract
way?
Well
think
of
it
in
terms
of
like
making
a
cake
right,
preheat
the
oven
to
160
mix,
flour,
eggs,
butter
until
fluffy.
Imagine
these
are
all
commands
in
a
script,
and
you
want
them
to
be
repeatable
and
do
the
same
thing
every
single
time,
so
you
put
them
into
your
recipe
or
in
ansible's
terms
a
playbook.
A
You
run
it.
It
will
happen,
you
get
the
result.
A
cake
is
made,
although
that
is
kind
of
assuming
a
bit
of
knowledge,
that
I
am
a
chef
and
chef,
interesting,
okay,
which
I
might
not
be.
What
I
like
better
and
is
becoming
very
popular
is
the
terraform
example.
As
you
can
see
now
I
rely
on
a
provider
who
is
to
act
as
the
the
creative,
the
chef,
and
I
simply
say
I
need
a
resource.
It's
a
cake,
it's
called
birthday
surprise.
This
is
my
spec.
A
I
sing
fondant
sponge
texture
diameter
layers
boom
make
it
and
that's
all
we
have
to
do,
and
I
have
a
cake.
I
really
like
that,
because
you
can
even
use
that
to
look
for
drift
to
see
if
the
cake
changes
over
time
doesn't
match
my
coated
definition.
It
is
declared
state
instead
of
procedure,
so
that
is
a
rough
way
of
defining
what
infrastructure's
code
looks
like
now:
let's
go
back
to
how
secrets
get
revealed
publicly
and
talk
a
little
bit
about
committing
the
infrastructure's
code
into
github.
How
does
this
happen?
Does
it
happen?
A
A
Is
this
real?
Was
it
not
real?
Nevertheless,
people
believed
it
because
it
it
happens
that
often
that
it
made
sense
that
perhaps
this
was
a
possible
thing.
Let
me
make
you
make
it
clear,
though
I
really
tried
to
do
it
and
I
could
not
do
it.
So
I
don't
know
if
it's
possible
or
if
they
fixed
it
right
away,
but
it
doesn't
seem
like
it's
doing
it
now,
but
nevertheless,.
A
What
do
you
do
if
credentials
are
exposed?
What,
if
you
accidentally,
did
this?
Let's,
let's
put
a
little
bit
of
corrective
action
in
here,
just
to
just
you
get
an
idea.
Of
course
you
should
disable
the
keys
that
you
think
were
in
there
revoke
them
immediately.
Rotate
them
look
for
compromised
services
like
what
happened
to
the
individual
who
checked
in
their
wordpress
credentials,
and
suddenly
they
had
600
servers.
Running
look
for
your
logs
for
nefarious
activities,
add
probably
have
to
add
new
monitoring
clean,
your
git
history.
A
That's
not
easy
and
I'll
show
you
a
little
bit
that
about
why
that's
not
easy.
In
a
moment,
it
sometimes
can
be
easier
to
delete
the
repository
entirely
if
it's
new
and
just
create
it
in
your
current
state.
If
the
history
doesn't
isn't
that
important
to
you
and
then
of
course
monitor
your
supply
chain,
look
for
breakages,
look
for
anomalies
and
understand
that
you
might
be
part
of
someone
else's
supply
chain.
A
So
your
mistake
might
be
affecting
a
lot
of
other
people,
as
is
what
happened
with
solarwinds
so
finally,
and
the
important
thing
why
we're
here
today
add
automation
to
scan
your
code
for
secrets.
So
it
doesn't
happen
again
and
ideally
it
doesn't
happen
ever
some
best
practices
surrounding
that
create
that
secret
supply
chain.
First,
before
you
need
it
in
automation.
A
Think
about
how
you're
going
to
do
it
if
you're
in
dev-
and
you
need
you
just
don't
have
it-
you
don't
have
access
to
it,
whatever
always
put
your
secrets
into
another
file,
always
put
them
somewhere
else
and
then
reference
that
file
and
add
that
file
to
your
git.
Ignore
that's
smart,
don't
put
it
into
the
comments
like
I
did
and
check
it
in
that's
dumb,
because,
even
even
though
afterwards,
when
you
do
the
code
right
because
it's
not
hardcoded
anymore,
you
forgot
you
added
it
to
a
comment
at
one
point,
and
now
it's
like.
A
Oh,
oh,
if
you're
in
proud
of
course
use
a
production
grade,
secrets
manager
like
cyborg
or
hashicorp,
free
ones
are
available,
paid
ones
are
available
and
almost
every
cloud
provider
has
one.
So
it's
becoming
easier
and
easier
to
do
things
right.
It's
more,
I
think
in
dev,
where
things
go
wrong
or
when
we're
rushing
or
when
we're
cutting
corners,
the
problems
can
arise,
which
is
why
we
need
to
scan
any
code,
be
it
our
application,
our
infrastructure's
code.
Anything
needs
to
be
scanned
before
it
goes
into
github,
ideally
as
a
pre-commit
or
on
your
desktop.
A
So
how
do
we
do
that?
Well,
let
me
introduce
you
to
check
off.
Checkoff
is
an
open
source
tool
for
analyzing
infrastructure
as
code,
it
analyzes
all
sorts
of
different
types,
terraform
cloud
formation
or
helm,
kubernetes
yaml
serverless
framework.
There
are
over
500
different
rules
that
is
looking
for
for
common
misconfigurations.
You
can
see
some
examples
in
the
image
just
next
to
it.
There,
however,
we
have
improved
check
off
to
add
secrets,
and
that
is
really
quite
interesting
check
off.
A
Its
new
feature
for
scanning
secrets
is
a
combination
of
some
of
the
things
we
already
had
in
there.
There
were
some.
There
was
some
secret
scanning
already
there,
combining
prowler,
which
is
looking
for
aws
misconfigurations,
like
cis
benchmarks
and
secrets
with
yelps
detect
secrets
yep,
the
tech
secrets
was
written
by
an
individual
named
kevin
hawk
and
actually
full
disclosure.
We
asked
him
to
be
on
this
webinar
and
he
kind
of
didn't
want
to
do
that
and
I'm
like
all
right,
no
problem.
A
A
He
speaks
through
his
github
account,
which
you
can
see
right
there
by
combining
those
two
together,
we
are
able
to
create
three
different
types
of
identifiers
and
ways
of
finding
secrets
in
infrastructure
as
code,
regular
expressions,
keywords
looking
for
entropy,
which
is
interesting
and
we'll
talk
a
little
bit
more
about
that
in
a
moment.
So
regular
expressions
are
fantastic.
A
If
I
look
at
the
different
types
of
regular
expressions,
we
can
see
artifactory,
aws,
json,
mailchimp,
slack,
very
specific
ones,
right,
stripe,
twilio,
regular
expressions,
allow
us
to
characterize
a
lot
of
different
credentials,
a
lot
of
different
secret
types,
so
that
not
only
do
we
find
the
secrets,
but
we
can
tell
you
specifics
on
how
to
remediate
them,
which
is
pretty
cool,
now.
Also
keywords
versus
entropy.
A
Is
we
even
combine
all
of
that,
so
that
we're
reducing
false
positives
so
we're
combining
all
the
different
checks
together,
but
then
characterizing
the
check
into
an
individual
type
when
we're
done
so
we've
taken
what
kevin
hawk
has
done,
we've
taken
with
prowlers
done:
we've
added
our
own
kind
of
secret
sauce
to
that
to
make
it
really
good
all
right,
you
saw
that.
Let's
take
a
look!
Well,
let's!
Let's
do
it
now
all
right!
Let
me
just
share
my
screen
really
quick.
A
All
right
screen
low
here
we
are
awesome,
so
I
am
in
a
terraform
directory
like
here.
I
have
terraform
for
a
whole
bunch
of
different
formats,
aws
azure,
it's
all
part
of
a
bridge,
crew,
intentionally
vulnerable
environment
and
I
can
run
checkout.
So
let's
do
that.
I
ran
it
earlier.
I've
still
got
the
command
line
here.
Checkoff
dash
d
aws
is
going
to
check
my
aws
directory
and
I've
gotta,
usually
I'm
using
quiet
so
that
I
get.
I
don't
get
all
the
things
that
I
successfully
did.
A
I
know
I
don't
need
a
pat
in
the
back
just
yet
I'm
just
going
to
look
for
the
misconfigurations.
So
it's
that
simple,
I'm
going
to
run
that
and
we're
going
to
see
a
whole
bunch
of
bright
colors
go
by
there.
We
go
it's
looking
for
everything.
I
didn't
say
just
look
for
secrets.
I
don't
have
a
configuration
file.
I
don't
have
a
baseline.
Any
of
the
other
things
that
you
can
do
is
check
off.
I'm
I'm
scanning
fresh
and
we
can
already
see
some
of
the
misconfigurations
I
have
in
here.
A
So
we
just
look
right
there
like
the
right
at
the
bottom.
A
base64
high,
entropy
string,
you
might
be
thinking.
Okay,
looks
like
something
bad
clearly,
not
base64
example
key
there.
We
also
could
have
caught
this
on
secret
key
and
probably
combined
some
of
what
we're
doing
to
make
sure
that
it
was
certainly
we
caught
this
one
access,
key
aws
access,
key
we're
being
pretty
specific
about
that
one.
Aren't
we
private
key,
so
we've
caught
this
most
likely
using
a
regular
expression.
Then
we
go
up
and
we
can
see
a
few
other
ones.
A
Slack
token
basic
auth
credentials,
twilio
api
stripe,
access,
key,
that's
getting
pretty
specific,
isn't
it
that
we
found
in
here
and
what's
kind
of
even
better
about
this?
Is
that
we're
offering
guidance
here?
So
you
see
get
secrets
17..
If
I
go
over
here,
we
can
see
the
kind
of
information
that
we've
been
given.
A
A
A
A
That's
how
easy
it
was
for
me
to
find
misconfigurations
in
my
code,
but
also
secrets
that
might
be
leaked
in
there
and
of
a
variety
of
different
types
and
how
easy
it
was
for
me
to
find
instructions
on
how
to
remediate
them
very
specific
to
the
type
of
key
that
we
had,
which
is
great
okay.
So
what
are
my
key
takeaways?
A
A
Remember
that
internal
secrets
can
still
create
risk
scan
all
your
code,
not
just
your
application,
but
also
your
infrastructure's
code
and
not
just
your
infrastructure's
code.
Also,
your
application
scan
locally.
If
you
can
using
checkoff
it's
easy
to
install
on
a
mac,
it's
like
brew,
install
checkoff,
super
simple,
add
it
to
ci.
Checkoff
has
a
github
action
that
is
as
simple
as
running
it
on
your
desktop.
A
It's
a
one-liner
github
action
and
you
can
embed
this
into
your
ci
and
you
can
also
use
it
as
a
pre-commit
hook,
which
I
highly
recommend
and,
of
course,
finally
revoke
and
rotate
keys.
Often
in
fact,
when
you're
choosing
services
make
sure
those
services
allow
you
to
provoke
and
rotate
keys.
That
can
be
an
important
way
that
you
method
you
use
to
decide
what
services
you're
going
to
use
in
the
future,
because
it's
really
important.
A
Okay,
that
is
the
end
of
this
webinar.
Once
again,
my
name
is
steve
giguere.
I
hope
you
enjoyed
this
and
you
learned
a
little
bit
more
about
chekhov.
If
you
learned
a
little
bit
more
about
secrets-
and
maybe
you
learned
a
little
bit
more
about
infrastructure
as
code-
that's
the
end
big
thanks
to
the
cncf
for
hosting
this,
and
if
you
have
any
more
questions
about
check
off
or
your
and
you'd
like
to
maybe
join
our
community,
go
check
us
out
at
codifiedsecurityalloneword.slack.com.