Amazon updates CodeGuru to detect and secure secrets in code – SiliconANGLE News

UPDATED 13:00 EST / NOVEMBER 29 2021
by Kyt Dotson
Amazon is updating its automated code review and profiler platform, CodeGuru, to detect confidential secrets in source code with a feature called Secrets Detector.
CodeGuru operates by scanning source code for defects and bugs using machine learning and suggests improvements to help developers overcome potential exploits and vulnerabilities to keep up with security best practices.
One particular best practice is to avoid hard-coding anything into the source that could reveal secret information about the system ,such as passwords, application programming interface keys, encryption keys and other credentials. These items can often accidentally be added to code out of convenience without regard for the danger of them being committed to a code repository.
Code repository commits mean these secrets are available to everyone on the team, which is not ideal for any sort of secret. It increases the chances that those secrets could be revealed to outside parties, or cause them to be leaked to the public. This can also become a problem if the code was intended to be published to an open-source repository in the public domain where the code is visible to everyone.
For example, ride-haling company Uber disclosed a major breach in 2017 that revealed the personal information of 57 million drivers had occurred because an employee had committed Amazon Web Services credentials to a GitHub repository. Once an attacker had broken into the repository and gained access to those credentials the hacker gained access to the entire treasure trove of that data just from that one password in the code.
With the Secrets Detector feature, CodeGuru uses machine learning to detect secrets during the code review process before it gets merged or deployed. That way developers can be warned there might be a hardcoded password. Once one is detected, steps to fixing the problem are suggested for securing the secret such as using AWS Secrets Manager, a service for automatically storing, rotating, managing and retrieving credentials and other secrets.
The detector can scan source code, configuration files and documentation for potential secrets including passwords, API keys, SSH keys and access tokens. CodeGuru’s new functionality is available at no additional cost and supports multiple integrations ,including AWS, Atlassian, Datadog, Databricks, GitHub, Hubspot, Mailchimp, Salesforce, SendGrid, Shopify, Slack, Stripe and many more.
The detection of secrets in code has become of ever-increasing importance with more companies looking for ways to prevent massive scale breaches such as happened to Uber. According to IBM Security’s Cost of Data Breach report from 2020, data breaches can cost companies an average of $3.9 million.
That has led to a rise in platforms providing management for infrastructure secrets. Examples include cybersecurity provider 1Password introducing its own Secrets Automation service in April to assist in the management of keys, tokens and other credentials. Dopper Inc. raised $6.5 million for its own secrets management platform in March, which uses a cloud-based interface.
Click here to join the free and open Startup Showcase event.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.
Click here to join the free and open Startup Showcase event.
AWS introduces AWS IoT RoboRunner to ease robot fleet operations
Amazon updates CodeGuru to detect and secure secrets in code
Starburst now runs distributed queries across all three major cloud platforms
As re:Invent kicks off, AWS CEO Adam Selipsky charts key role of partners in a new cloud world
Connected device security startup Armis raises $300M at $3.4B valuation
EU complaint claims Microsoft anticompetitive for bundling services with Windows
AWS introduces AWS IoT RoboRunner to ease robot fleet operations
CLOUD – BY MARIA DEUTSCHER . 46 MINS AGO
Amazon updates CodeGuru to detect and secure secrets in code
SECURITY – BY KYT DOTSON . 1 HOUR AGO
Starburst now runs distributed queries across all three major cloud platforms
BIG DATA – BY PAUL GILLIN . 2 HOURS AGO
As re:Invent kicks off, AWS CEO Adam Selipsky charts key role of partners in a new cloud world
CLOUD – BY GUEST AUTHOR . 4 HOURS AGO
Connected device security startup Armis raises $300M at $3.4B valuation
SECURITY – BY MARIA DEUTSCHER . 5 HOURS AGO
EU complaint claims Microsoft anticompetitive for bundling services with Windows
POLICY – BY DUNCAN RILEY . 17 HOURS AGO
Forgot Password?
Like Free Content? Subscribe to follow.

source