Find Annoying Secrets in Your AWS Java and Python Programs
Sometimes good things come with bad side effects. Take secrets in our code such as passwords, credentials, keys, and access tokens. Once upon a time, we’d never place these in our code. But then along came code-driven automation with secrets often accidentally, and sometimes intentionally, checked into our programs. Then, Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS) brought the proliferation of tokens to invoke other services. What to do? Find them and get rid of them before the malicious hackers discover and use them of course! That’s where Amazon Web Services (AWS) updated Amazon CodeGuru comes in.
Amazon CodeGuru is an Artificial Intelligence/Machine Learning (AI/ML) developer tool. Its core job is to improve code quality and identify a program’s most expensive lines of code. Its CodeGuru Reviewer component identifies critical issues, security vulnerabilities, and hard-to-find bugs during application development and provides code quality recommendations.
Automated Code Review
CodeGuru Reviewer has a new feature. Launched at AWS’ annual re:Invent user conference last month, this automated code reviews scans and profiles your Java and Python applications for hard-coded secrets.
Specifically, this automated tool detects such secrets in source code or configuration files as passwords, API keys, SSH keys, and access tokens.
It uses machine learning to spot hard-coded secrets during your code review process. The goal, of course, is to make sure your fresh Java and Python code doesn’t contain hardcoded secrets before being merged and deployed. Besides your code, this new function also scans configuration and documentation files for secrets.
Once it’s done scanning your latest code, the program suggests remediation steps to secure your secrets. Of course, the smartest thing to do is remove the secret before the commit. The hard-coded secret can be replaced with a secret from a secret manager or, where needed, with a configuration variable.
The program’s default suggestion is to use AWS Secrets Manager. This managed service enables you to securely and automatically store, rotate, manage, and retrieve credentials, API keys, and pretty much any other kind of secret.
Once the secret is stored in AWS Secrets Manager, it gives you code snippets to fetch your secrets to many programming languages using the AWS SDKs. This saves you from inserting manually the necessary SDK call.
This new functionality is included as part of the CodeGuru Reviewer service at no additional cost. It supports the most common API providers. Besides AWS, it also supports Atlassian, Datadog, Databricks, GitHub, Hubspot, Mailchimp, Salesforce, SendGrid, Shopify, Slack, Stripe, Tableau, Telegram, and Twilio. You can check out the full list here.
I strongly suggest if you’re programming in Java and Python on AWS that you use this new functionality. It is all too easy when you’re on a deadline to take shortcuts with secrets and promise yourself you’ll remember to take them out before you push the code forward. It sounds good, but there you are, hours, days, or weeks later, when you discover that a forgotten secret is now being exploited.