Secrets, like API keys, credentials, and security certificates are the crown jewels of organizations. They provide access to the most sensitive systems and data. But there is a conundrum we face when dealing with secrets—they need to be both tightly controlled and secured, but they also need to be widely distributed to team members, applications and infrastructure. This can result in secrets being sprawled: saved locally, shared through messaging systems or internal wikis, hard coded into source-code.
These secrets can be buried deep in systems like the command line history of your most widely accessed server, application logs or the git history, making it very difficult for them to be detected.
To keep up with the constant pace of building and debugging, one can overlook some crucial details that can cause failure at any stage of the software development life cycle. In other words, to err is developer. And we totally get it. So, we've come up with Attack-on-Web(AOW). A tool that looks for vulnerable API keys inside your repository.
What it does?
Attack-On-Web is a CLI application that runs in your local system environment or in a CI environment to assist you with identifying 20 (More added soon) kinds of secret/API Keys, just as other potential security weaknesses or policy breaks.
AOW utilises our local APIs to filter your code and identify expected secret/API Keys in your code. We won't store any records you are sending or any secret keys we have recognized.
How we Built it?
We've used Node.js for building this and published it as an npm package and Github Action. We divided the projects into mini sprints and structured the entire process by sharing a notion document. Collaborated over issues using GitHub Project Boards. Communicated and had pair coding sessions via Discord.
Challenges we ran into.
- Neither of us had any prior experience building testing tools.
- The time constraint affected us adversely in the first week of the ideation phase for the fact that we were unsure of the feasibility of the product at that time.
- While creating a universal cross-platform cli tool, we faced a unique challenge where every other OS rendered the gitignore file's newlines with different characters. After many nights of brainstorming, we were able to fix this issue via good old regEx.
Accomplishments that we're proud of
- Lightweight and easy to invoke CLI and Github Action.
- Our logo
- Our structured documentation to facilitate users and first time contributors.
- Our daily( well, almost) pair coding sessions, brain storming and collaboration. We structured and broke down the entire thing into mini projects (We called them mini sprints of our own).
- Sometimes we brag about the fact that we crossed a 100 commit mark on the Github repo. (University students by day and debugger by night)
What we learned?
- Structured documentations and planning saves the idea.
- Building and invoking interactive CLI.
- Building Github action.
- Publishing npm module.
What's next for AoW?
- Adding to the providers list.
- Taint Analysis of the code.
- GUI for user interaction.