Microsoft is showcasing an automatic tool to help engineers tackle security threats when collaborating on software development in GitHub, a platform to discover, fork, and contribute to projects.
Security issues may crop up during attempts by the user to ensure that the project is saved.
"To help protect our customers, Microsoft Azure (cloud computing platform) runs Credential Scanner, also known as CredScan, which monitors GitHub and checks for specific Azure tenant secrets such as Azure subscription management certificates and Azure SQL (Structured Query Language) connection strings," Brijesh Desai, principal program manager lead at Microsoft, wrote in a blog post.
Desai wrote that Azure secrets could be authentication credentials such as passwords, private keys, database connection strings, and storage account keys managed by Azure tenants.
"In Azure, we take security very seriously. Azure secrets are considered sensitive and should not be made publicly available. An exposed secret could lead to the compromise of your Azure subscription, your cloud assets, as well as on-premises assets and data, putting your applications or services at significant risk," he wrote.
According to Desai, the Redmond-headquartered company has been "internally developing and leveraging CredScan to protect Azure and its first-party services and applications." He added that Microsoft has plans to add and release support for more types of secrets for its GitHub scanning tool.
Developers don't have to do anything to opt for the tool as the company checks on its own for exposed secrets on GitHub, Desai said.
How it works?
The tool first scans for exposed threats and in case of a discovery notifies the Azure subscription owner via an email from Microsoft’s Cyber Defense Operation Center. The email notifies users on which “commits” have an issue, along with their affected subscriptions, assets, secret type and guidance on how to fix the exposure, Desai explained.
He adds that if an Azure subscriber receives a notification, there may be more credentials in the source code, so the user needs to take a closer look, and include a review of past “commits” and “commit” history. The user should rotate and remove all such secrets from the code, storing them in a safe location such as Azure Key Vault, he said.