diff --git a/rspec-tools/rspec_template/single_language/secrets/metadata.json b/rspec-tools/rspec_template/single_language/secrets/metadata.json index 72db56cf40..3d5beb67e8 100644 --- a/rspec-tools/rspec_template/single_language/secrets/metadata.json +++ b/rspec-tools/rspec_template/single_language/secrets/metadata.json @@ -7,7 +7,7 @@ }, "attribute": "TRUSTWORTHY" }, - "status": "ready", + "status": "beta", "remediation": { "func": "Constant\/Issue", "constantCost": "30min" diff --git a/rspec-tools/rspec_template/single_language/secrets/rule.adoc b/rspec-tools/rspec_template/single_language/secrets/rule.adoc index 28f3a64def..4de72c822a 100644 --- a/rspec-tools/rspec_template/single_language/secrets/rule.adoc +++ b/rspec-tools/rspec_template/single_language/secrets/rule.adoc @@ -1,3 +1,11 @@ +:example_env: ENV_VAR_NAME +:example_name: java-property-name +:example_secret: example_secret_value + +// Set value that can be used to refer to the type of secret in, for example: +// "An attacker can use this {secret_type} to ..." +// Commonly used values: access token, api key, application secret, application key or consumer key, service password, OAuth token, deployment password +:secret_type: secret include::../../../shared_content/secrets/description.adoc[] @@ -9,31 +17,92 @@ include::../../../shared_content/secrets/rationale.adoc[] // Optional: Give a general description of the secret and what it's used for. -Below are some real-world scenarios that illustrate some impacts of an attacker -exploiting the secret. +include::../../../shared_content/secrets/impact/generic_impact.adoc[] -// Set value that can be used to refer to the type of secret in, for example: -// "An attacker can use this {secret_type} to ..." -:secret_type: secret +// Uncomment the following line, if specifying detailed impacts from below: +// include::../../../shared_content/secrets/impact/specific_impact_intro.adoc[] -// Where possible, use predefined content for common impacts. This content can -// be found in the folder "shared_content/secrets/impact". -// When using predefined content, search for any required variables to be set and include them in this file. -// Not adding them will not trigger warnings. +// Secret may allow hosting arbitrary files +// include::../../../shared_content/secrets/impact/malware_distribution.adoc[] -//include::../../../shared_content/secrets/impact/some_impact.adoc[] +// Secret may allow accessing or compromising sensitive data +// include::../../../shared_content/secrets/impact/data_compromise.adoc[] + +// Secret may allow uploading artifacts to services used elsewhere in the supply chain +// This is specific for code and artifact repositories +// include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[] + +// Secret may be used to trigger workflows +// This is webhook-specific +// include::../../../shared_content/secrets/impact/codeless_vulnerability_chaining.adoc[] + +// OAuth tokens may allow accessing 3rd party services +// include::../../../shared_content/secrets/impact/oauth_token_compromise.adoc[] + +// Mailing service compromise may allow sending spam, which may result in account termination +// include::../../../shared_content/secrets/impact/suspicious_activities_termination.adoc[] + +// Sensitive information leak / identity impersonation, e.g., through leaked signing secret +// include::../../../shared_content/secrets/impact/security_downgrade.adoc[] + +// Audit trail discrepancies +// include::../../../shared_content/secrets/impact/non_repudiation.adoc[] + +// Package repository secrets may allow access to source code etc. +// include::../../../shared_content/secrets/impact/source_code_compromise.adoc[] + +// Spamming automated calls may cause large bills and rate limited service access +// include::../../../shared_content/secrets/impact/exceed_rate_limits.adoc[] + +// For blockchain specific tokens +// include::../../../shared_content/secrets/impact/blockchain_data_exposure.adoc[] + +// Specific for banking / financial transaction tokens, causing financial loss +// include::../../../shared_content/secrets/impact/banking_financial_loss.adoc[] + +// Secret can be used to send spam or phish users +// include::../../../shared_content/secrets/impact/phishing.adoc[] + +// Secret may allow modifying application data (object stores etc.) +// include::../../../shared_content/secrets/impact/data_modification.adoc[] + +// Specific to services that are used to share PII (personal infos, chat logs, ..) +// include::../../../shared_content/secrets/impact/personal_data_compromise.adoc[] + +// Secret may allow accessing financial data, like CC information or confidential financial reports +// include::../../../shared_content/secrets/impact/disclosure_of_financial_data.adoc[] + +// Secret may allow occurring financial losses through 3rd party API usage +// include::../../../shared_content/secrets/impact/financial_loss.adoc[] + +// Secret may be used to modify dashboards to corrupt shown data +// Requires setting service_name variable +// :service_name: secret service +// include::../../../shared_content/secrets/impact/dataviz_takeover.adoc[] + +// Secret is related to IaaS providers and can be used to change DNS, launch VMs, etc. +// Requires setting service_name variable +// :service_name: secret service +// include::../../../shared_content/secrets/impact/infrastructure_takeover.adoc[] == How to fix it +// 1. Revoke leaked secrets include::../../../shared_content/secrets/fix/revoke.adoc[] +// 2. Analyze recent use to identify misuse +include::../../../shared_content/secrets/fix/recent_use.adoc[] + +// 3. Use a secret vault in the future include::../../../shared_content/secrets/fix/vault.adoc[] -=== Code examples +// 4. Never hard-code secrets +include::../../../shared_content/secrets/fix/default.adoc[] -:example_secret: example_secret_value -:example_name: java-property-name -:example_env: ENV_VAR_NAME +// OAuth PKCE is very specific to OAuth 2.0 +// include::../../../shared_content/secrets/fix/oauth_pkce.adoc[] + +=== Code examples include::../../../shared_content/secrets/examples.adoc[] diff --git a/rules/S6652/secrets/rule.adoc b/rules/S6652/secrets/rule.adoc index f1841adc98..47c2c67bf8 100644 --- a/rules/S6652/secrets/rule.adoc +++ b/rules/S6652/secrets/rule.adoc @@ -6,12 +6,7 @@ include::../../../shared_content/secrets/rationale.adoc[] === What is the potential impact? -The consequences vary greatly depending on the situation and the secret-exposed -audience. Still, two main scenarios should be considered. - -include::../../../shared_content/secrets/impact/financial_loss.adoc[] - -include::../../../shared_content/secrets/impact/security_downgrade.adoc[] +include::../../../shared_content/secrets/impact/generic_impact.adoc[] == How to fix it diff --git a/rules/S6689/secrets/rule.adoc b/rules/S6689/secrets/rule.adoc index 35223fed80..63974c0dfc 100644 --- a/rules/S6689/secrets/rule.adoc +++ b/rules/S6689/secrets/rule.adoc @@ -10,12 +10,7 @@ GitHub tokens are used for authentication and authorization purposes when interacting with the GitHub API. They serve as a way to identify and authenticate users or applications that are making requests to the GitHub API. -The consequences vary greatly depending on the situation and the secret-exposed -audience. Still, two main scenarios should be considered. - -include::../../../shared_content/secrets/impact/financial_loss.adoc[] - -include::../../../shared_content/secrets/impact/security_downgrade.adoc[] +include::../../../shared_content/secrets/impact/generic_impact.adoc[] == How to fix it diff --git a/rules/S6784/secrets/rule.adoc b/rules/S6784/secrets/rule.adoc index e9d222665b..6c8d85b7c8 100644 --- a/rules/S6784/secrets/rule.adoc +++ b/rules/S6784/secrets/rule.adoc @@ -9,12 +9,7 @@ include::../../../shared_content/secrets/rationale.adoc[] === What is the potential impact? -The consequences vary greatly depending on the situation and the secret-exposed -audience. Still, two main scenarios should be considered. - -include::../../../shared_content/secrets/impact/financial_loss.adoc[] - -include::../../../shared_content/secrets/impact/security_downgrade.adoc[] +include::../../../shared_content/secrets/impact/generic_impact.adoc[] == How to fix it diff --git a/rules/S7169/secrets/rule.adoc b/rules/S7169/secrets/rule.adoc index 3b0185b746..7d1a52412b 100644 --- a/rules/S7169/secrets/rule.adoc +++ b/rules/S7169/secrets/rule.adoc @@ -7,8 +7,7 @@ include::../../../shared_content/secrets/rationale.adoc[] === What is the potential impact? -Below are some real-world scenarios that illustrate some impacts of an attacker -exploiting the secret. +include::../../../shared_content/secrets/impact/specific_impact_intro.adoc[] include::../../../shared_content/secrets/impact/data_compromise.adoc[] diff --git a/shared_content/secrets/impact/generic_impact.adoc b/shared_content/secrets/impact/generic_impact.adoc new file mode 100644 index 0000000000..ea46c10f7d --- /dev/null +++ b/shared_content/secrets/impact/generic_impact.adoc @@ -0,0 +1,7 @@ +The consequences vary greatly depending on the situation and the secret-exposed +audience. Still, two main scenarios should be considered. + +include::../../../shared_content/secrets/impact/financial_loss.adoc[] + +include::../../../shared_content/secrets/impact/security_downgrade.adoc[] + diff --git a/shared_content/secrets/impact/specific_impact_intro.adoc b/shared_content/secrets/impact/specific_impact_intro.adoc new file mode 100644 index 0000000000..0fe75f2b07 --- /dev/null +++ b/shared_content/secrets/impact/specific_impact_intro.adoc @@ -0,0 +1 @@ +Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the secret.