Improving software supply chain security for customers is of critical importance to the development teams at HCL AppScan. The recent addition of Secrets Scanning with the HCL AppScan SAST engine (Static Application Security Testing) is an important advancement in helping customers identify secrets and keep their supply chain safe.
The secret about secrets
Secrets refer to any type of confidential personal or organizational information not intended for public exposure, such as passwords, social security numbers, API keys, cryptographic keys, access tokens and various types of credentials used for authentication and authorization.
Secrets are often stored within different digital assets like code repositories, configuration files and data stores to facilitate various aspects of development. However, if these are accidentally or unintentionally left in the code base by developers, they represent an opportunity for hackers to exploit and gain access to the software.
In addition to protecting secrets from external threats, it’s also important to maintain the confidentiality of secrets within an organization through various means, such as by limiting access to sensitive information on a need-to-know basis and implementing appropriate security measures to prevent data breaches or leaks.
Don’t let your secrets get out
By implementing regular and consistent secrets scanning, you can proactively identify and remediate potential security threats before they can be exploited. Secrets scanning involves scanning code repositories and other data sources for this sensitive information and can help your organization in multiple ways:
- Prevent data breaches: Secrets scanning can help organizations prevent data breaches by identifying and remediating potential security threats before they can be exploited.
- Improve compliance: Many industries and regulatory frameworks have strict requirements for protecting sensitive information. By implementing secret scanning, organizations can improve their compliance with these requirements.
- Protect reputations: Data breaches and other security incidents can have significant reputational damage for organizations. Organizations can leverage secrets scanning for better overall protection of sensitive information.
- Reduce costs: Data breaches and other security incidents can result in significant costs, such as legal fees, remediation costs and lost business. Secrets scanning helps organizations reduce the risk of these incidents and the associated costs.
HCL AppScan helps you keep your secrets
HCL AppScan is a leader in end-to-end application security testing throughout the software development lifecycle with multiple integrated tools operating off of a single platform. Secrets scanning is a new capability and leverages HCL AppScan’s powerful SAST engine to identify secrets in the source code. Secrets scanning can be deployed in a variety of ways, depending on the use case, and allows developers, DevOps, and security teams options flexibility based on where they are in the software development lifecycle. Secrets Scanning can be run independently or in conjunction with a SAST scan. Results are shown with all SAST findings and can be filtered depending on the finding type.
Once secrets are detected, the results are automatically integrated into HCL AppScan on Cloud where a full array of reporting and dashboarding capabilities are available. You can view results in fix groups (screenshots below) and drill down further for additional details and fix recommendations.
HCL AppScan now offers Secrets scanning for various platforms, including but not limited to AWS (Amazon Web Services), Atlassian, Azure, GitHub, Google Cloud, Jenkins, OpenAI and Stripe. In addition to platform-specific secrets like API keys and access tokens, we also scan for general sensitive information such as hardcoded passwords, credit card numbers, and US Social Security Numbers.
Support is under constant evaluation and updated to meet emerging security needs. A current list of supported platforms can be found in our product documentation.
Your secrets are safe with us
Secrets scanning is available at no extra charge with the SAST capabilities available in HCL AppScan on Cloud (SaaS), HCL AppScan 360º (Cloud-native application security) and HCL AppScan Source (on-prem). For teams using multiple tools to monitor their code including HCL AppScan, this capability can also be very valuable as a secondary check to ensure nothing is missed.
Contact us today to get started with a free trial of HCL AppScan.