It is a very common mistake for developers to keep secrets in configuration files, these can include user crednetials, private keys, api keys etc...
Those files are usually the first place where adversaries search for such information.
ID:T0189
Type:Technique
Tactic:Credential Access
Summary:Secrets in configuration files
State:Draft
Mitigations
ID
TYPE
SUMMARY
DESCRIPTION
M1120
Mitigation
Mitigation Store credentials in vault Sensitive data like credentials and API tokens should not be stored directly in code.
Modern applications talk to many third-party APIs, SaaS solutions and other dependecies. This integration usually requires an API token, username & password credential or other similar variable. Sometimes these sensitive credentials include database host strings or hostnames. All of these credentials should not be stored directly in code. Software engineers often don't understand the consequences of embedding these credentials in code. This is especially true for Javascript applications that run client side as these credentials are often visible by inspecting the Javascript files running in the local browser
M1890
Mitigation
Detection Encrypt secrets Sensitive information stored in configuration files should be encrypted to protect it from unauthorized access.
Detection Encrypt secrets Sensitive information stored in configuration files should be encrypted to protect it from unauthorized access.
Detections
ID
TYPE
SUMMARY
DESCRIPTION
D1120
Detection
Detection Implement source code scanning for credentials and tokens Set up monitoring of reported issues based on regular credentials scanning results.
Scan web applications for embedded secrets and credentials. It is particularily important after deployment to a web endpoint that you scan that newly deployed app for secrets, credentials and other sensitive data.
AppSec teams are overwhelmed by useless alerts, managing numerous applications with vulnerabilities across various kill-chain stages, making them increasingly susceptible to successful attacks.
