New open source tools for locating hardcoded credentials and allocating cloud workloads have been released by NCC Group.
Developers can use the first, called Code Credential Scanner (css), to scan configuration files in a repository for any credentials that might be stored there and remove them before they are disclosed. The tool can be used at any time to scan local files because it operates on a local filesystem. In order to carry out automated scheduled scans, it can also be connected into development methods.
“The tool is intended to be used directly by dev teams in a CI/CD pipeline, to manage the remediation process for this issue by alerting the team when credentials are present in the code, so that the team can immediately fix issues as they arise,” NCC Group elaborates.
The Python script can be used to find usernames, emails, and other information in addition to passwords and keys. It has no external dependencies and can be executed with parameters. In the absence of that, it would only look up known passwords.
The Code Credential Scanner offers numerous approaches for resolving issues, can work on any codebase to decrease false positives, and is designed to be language-independent. NCC Group also unveiled CowCloud, an open source platform that may assist pentesters and other technical teams distribute workloads across AWS, in addition to the scanner.
CowCloud can be used to create and view tasks given to Python programmes running on worker nodes, as well as to install and run third-party tools. CowCloud was initially designed to conduct recon tools and vulnerability checks in a distributed manner. The programme, according to NCC Group, may also be used for centralised tool access and management, distributed password cracking in AWS, and baseline security testing.