Praetorian has open-sourced the regular expression-based (RegEx) scanning capabilities of its Nosey Parker secret scanning tool.
Scanning filesystem content for secrets
Inadvertent secrets disclosure is one of an organization’s more common attack paths. Nosey Parker addresses the pervasive problem of secret exposure in source code and configuration files where sensitive information such as passwords, API keys, access tokens, asymmetric private keys, client secrets, and credentials exist. An attacker’s ability to discover these secrets may result in the ability to access keys to additional systems.
“Since the release of Nosey Parker, we have continued to find hard coded secrets within client environments that are easily leveraged to access high-value assets,” said Anthony Paimany, Technical Director for Praetorian. “Until now, the remedial advice felt lackluster with procedural and policy-based recommendations. We are excited to offer an open-source version of Nosey Parker that empowers organizations to better secure their assets. We look forward to contributions from the community as they identify interesting and innovative new rules and use cases.”
With the RegEx open-source version, application security engineers, cloud security engineers, site reliability engineers, and developers can quickly find the number of security incidents and their location, avoiding what is currently a manual, time-consuming process.
The company also has plans to add additional capabilities to the RegEx version in the months ahead that will allow users to explore or enumerate resources that appear on public git-hub and repositories. Additionally, the newly released version can perform scans 100 times faster than any other tool in the market, with the capability to scan 100 gigabytes of Linux Kernel source history on a laptop in five minutes.