Credentials are data that include API keys, database access information, server access rights, passwords, and sensitive information such as email, credit card, and social security numbers. They are essential for accessing various services and resources in the development process as well as in cloud-based work environments. Credentials are indispensable for developers, as well as employees in operations, security, data analytics, and other areas to perform their daily tasks.
The number of security incidents caused by poor credential management is growing. In 2023, Okta, a leading provider of identity and access management solutions, suffered a breach of customer data and access tokens when hackers stole a HAR file with exposed credentials from an employee's customer support system. Microsoft, Uber, and CloudFlare also suffered credential breaches in 2022 and 2023, and the stakes are getting higher.
Business processes are changing dramatically, especially with the evolution of the cloud. As the workplace moves to the cloud, employees are able to work from anywhere, anytime, and are more collaborative and decentralized. While the cloud has made work processes faster and more flexible, it has also created new security challenges: employees have to deal with multiple credentials to access different services and resources, and it's not easy to manage and share them securely.
As a result, employees often store and share credentials in public, easy-to-share areas for convenience. While storing credentials in easy-to-access places like source code repositories, messengers, cloud documents, cloud storage, email, and more can improve work efficiency, it can also pose serious security risks. Credentials stored in the public domain are easy targets for hackers and can easily be compromised by insider mistakes or malicious behavior.
As the importance of credential detection has grown, a number of products have emerged to address this challenge, most notably TruffleHog and GitGuardian.
TruffleHog is an open-source tool that scans source code repositories and collaboration tools like Slack and Jira to identify credentials that are exposed in the public domain. One of the strengths of these products is that they don't just detect credentials, they validate whether or not they're actually valid for over 800 different credentials. This allows security personnel to determine the risk of a compromised credential and take action.
However, TruffleHog does have its limitations. The biggest issue is that it's limited in the types of credentials it can detect. Because TruffleHog detects credentials based on regular expression patterns defined in code, it can't detect new types of credentials that aren't included in the patterns or things like passwords and sensitive information.
Another issue is that TruffleHog only supports scanning against a single source. For example, you can't validate a combination ofAWS IDs exposed in GitHub and AWS tokens exposed in Slack. This makes it difficult for organizations that use multiple cloud products to use TruffleHog to detect all possible credential leaks.
Trufflehog Security offers an enterprise commercial product based on the open source version of TruffleHog, which is not publicly available, making it difficult to choose.
GitGuardian is a SaaS-based credential detection and monitoring service. Like TruffleHog, GitGuardian can scan a variety of cloud products to identify credentials. It also provides real-time alerts for exposed credentials and includes a reporting feature that allows you to categorize credentials based on their threat level.
However, GitGuardian does have some limitations. First, GitGuardian is limited in terms of scalability. Unlike open-source tools like TruffleHog, GitGuardian doesn't allow users to modify the code or add features on their own. It also only supports up to five Custom Detectors, which can make it difficult to apply organization-specific credential detection rules at scale.
Next, GitGuardian has limitations when it comes to detecting personally identifiable information (PII). Most credential detection tools, including TruffleHog and GitGuardian, use heuristic methods or regular expressions to identify credentials. While these methods are effective for detecting credentials such as API keys, passwords, and tokens, they have difficulty accurately detecting PII such as email addresses, phone numbers, and social security numbers. For example, Github's CommitID is treated the same as a passport number by simple pattern matching. Heuristic, regular expression-based pattern matchingcan lead to false positives. These limitations are common to other credential detection tools, including GitGuardian and TruffleHog.
Ferret, which means "to scour" in English, is a product that scours the cloud for exposed credentials. Ferret overcomes the limitations of existing credential detection products and provides complete security. Ferret features include
These features of Ferret can help you overcome the limitations of traditional credential detection tools and take your security to the next level, especially its sophisticated credential verification, AI-powered sensitive data detection, and multi-source scanning.
In addition, Ferret demonstrates significant performance advantages compared to other products. Speed is crucial for rapid response to credential exposure threats. Written in Rust, Ferret uses efficient string search algorithms and optimizations to detect credentials quickly, even in large volumes of data.
Ferret demonstrated significant scan speed improvements over TruffleHog in a variety of environments, including Linux, Chromium, and Spring Boot. On average, we saw about a 2x performance improvement in scanning codebases, and for large projects likeChromium, we saw about 8.8x faster performance. This means that we can react quickly to credential exposures and can significantly increase the efficiency of credential detection efforts in large organizations.
Ferret will continue to evolve to deliver even greater value to our customers. Here are some of our future plans for Ferret
Cremit currently offers SaaS and On-Premise (Enterprise) services. It is optimized for startups, small businesses, enterprises, finance, etc. and provides 800+ secret validations, NER-based privacy detection, and more. It can integrate with source code, collaboration tools, documents, repositories. Meet the cremit team