The challenges of managing credentials

Credentials are data that include API keys, database access information, server access rights, passwords, and sensitive information such as email, credit card, and social security numbers. They are essential for accessing various services and resources in the development process as well as in cloud-based work environments. Credentials are indispensable for developers, as well as employees in operations, security, data analytics, and other areas to perform their daily tasks.

The number of security incidents caused by poor credential management is growing. In 2023, Okta, a leading provider of identity and access management solutions, suffered a breach of customer data and access tokens when hackers stole a HAR file with exposed credentials from an employee's customer support system. Microsoft, Uber, and CloudFlare also suffered credential breaches in 2022 and 2023, and the stakes are getting higher.

Business processes are changing dramatically, especially with the evolution of the cloud. As the workplace moves to the cloud, employees are able to work from anywhere, anytime, and are more collaborative and decentralized. While the cloud has made work processes faster and more flexible, it has also created new security challenges: employees have to deal with multiple credentials to access different services and resources, and it's not easy to manage and share them securely.

As a result, employees often store and share credentials in public, easy-to-share areas for convenience. While storing credentials in easy-to-access places like source code repositories, messengers, cloud documents, cloud storage, email, and more can improve work efficiency, it can also pose serious security risks. Credentials stored in the public domain are easy targets for hackers and can easily be compromised by insider mistakes or malicious behavior.

Introduction and limitations of existing credential detection products

As the importance of credential detection has grown, a number of products have emerged to address this challenge, most notably TruffleHog and GitGuardian.

‍

TruffleHog

TruffleHog is an open-source tool that scans source code repositories and collaboration tools like Slack and Jira to identify credentials that are exposed in the public domain. One of the strengths of these products is that they don't just detect credentials, they validate whether or not they're actually valid for over 800 different credentials. This allows security personnel to determine the risk of a compromised credential and take action.

However, TruffleHog does have its limitations. The biggest issue is that it's limited in the types of credentials it can detect. Because TruffleHog detects credentials based on regular expression patterns defined in code, it can't detect new types of credentials that aren't included in the patterns or things like passwords and sensitive information.

Another issue is that TruffleHog only supports scanning against a single source. For example, you can't validate a combination ofAWS IDs exposed in GitHub and AWS tokens exposed in Slack. This makes it difficult for organizations that use multiple cloud products to use TruffleHog to detect all possible credential leaks.

Trufflehog Security offers an enterprise commercial product based on the open source version of TruffleHog, which is not publicly available, making it difficult to choose.

GitGuardian

GitGuardian is a SaaS-based credential detection and monitoring service. Like TruffleHog, GitGuardian can scan a variety of cloud products to identify credentials. It also provides real-time alerts for exposed credentials and includes a reporting feature that allows you to categorize credentials based on their threat level.

However, GitGuardian does have some limitations. First, GitGuardian is limited in terms of scalability. Unlike open-source tools like TruffleHog, GitGuardian doesn't allow users to modify the code or add features on their own. It also only supports up to five Custom Detectors, which can make it difficult to apply organization-specific credential detection rules at scale.

Next, GitGuardian has limitations when it comes to detecting personally identifiable information (PII). Most credential detection tools, including TruffleHog and GitGuardian, use heuristic methods or regular expressions to identify credentials. While these methods are effective for detecting credentials such as API keys, passwords, and tokens, they have difficulty accurately detecting PII such as email addresses, phone numbers, and social security numbers. For example, Github's CommitID is treated the same as a passport number by simple pattern matching. Heuristic, regular expression-based pattern matchingcan lead to false positives. These limitations are common to other credential detection tools, including GitGuardian and TruffleHog.

Introducing Ferret

Ferret, which means "to scour" in English, is a product that scours the cloud for exposed credentials. Ferret overcomes the limitations of existing credential detection products and provides complete security. Ferret features include

1. Support for multiple collaboration tools: Ferret can scan source code repositories as well as various collaboration tools like Jira, Confluence, and Notion. This ensures comprehensive detection of credential exposure risks that may occur in the course of day-to-day work, not just during development.
2. Broad credential detection and validation: Ferret detects close to 800 different types of credentials. Ferret also automatically validates whether the detected credentials are actually valid. This minimizes false positives and helps security teams focus on real threats.
3. Multi-source scanning: Ferret can scan and validate not just a single source, but multiple sources simultaneously. This makes detecting and validating credentials an efficient task for even the largest organizations.
4. AI-powered sensitive data detection: In addition to detecting credentials, Ferret can leverage AI models to detect sensitive data such as PII. In particular, Ferret achieves high detection accuracy by selectively applying models optimized for natural language analysis and models optimized for code analysis.
5. Dashboard and alerting support: Ferret provides an intuitive web dashboard to keep track of credential detection status, and real-time notifications via Slack and other messengers for quick response.

These features of Ferret can help you overcome the limitations of traditional credential detection tools and take your security to the next level, especially its sophisticated credential verification, AI-powered sensitive data detection, and multi-source scanning.

In addition, Ferret demonstrates significant performance advantages compared to other products. Speed is crucial for rapid response to credential exposure threats. Written in Rust, Ferret uses efficient string search algorithms and optimizations to detect credentials quickly, even in large volumes of data.

Ferret demonstrated significant scan speed improvements over TruffleHog in a variety of environments, including Linux, Chromium, and Spring Boot. On average, we saw about a 2x performance improvement in scanning codebases, and for large projects likeChromium, we saw about 8.8x faster performance. This means that we can react quickly to credential exposures and can significantly increase the efficiency of credential detection efforts in large organizations.

Future plans

Ferret will continue to evolve to deliver even greater value to our customers. Here are some of our future plans for Ferret

• Expanded support for collaboration tools and detection types: While Ferret currently supports a wide range of collaboration tools, we plan to support more cloud collaboration tools so that customers can adapt Ferret to their work environments. We also plan to provide the ability to detect credentials for data such as images rather than text.
• Custom detection and validation rules: We'll provide the ability to add credential detection and validation rules for specialized requirements, such as detecting and validating usernames and passwords for internal use only. This will provide scalability and flexibility for ferrets to improve security.
• Credential metadata collection and management: We will provide the ability to utilize the metadata of discovered credentials to identify the scope of exposure and threat level. This will make credential management easier for security personnel and greatly improve their work efficiency.
• AI model diversification and performance improvements: We will further diversify Ferret's AI models and improve their learning performance to enable more accurate and diverse detection of sensitive data.
• Automatic credential action capabilities: We plan to develop capabilities to automatically change or deactivate exposed credentials, which will enable a quick and effective response in the event of a credential breach.
• Credential archiving and usage: We plan to provide the ability to securely store and easily use credentials detected by Ferret. This will allow the entire credential lifecycle to be handled within Kremit.

Meet the Cremit team

Cremit currently offers SaaS and On-Premise (Enterprise) services. It is optimized for startups, small businesses, enterprises, finance, etc. and provides 800+ secret validations, NER-based privacy detection, and more. It can integrate with source code, collaboration tools, documents, repositories. Meet the cremit team

‍