Cybersecurity firm NCC Group has released new open source tools that can be useful to application developers and penetration testers.
The first, named Code Credential Scanner (css), can be used by developers to scan configuration files in a repository to detect any stored credentials and remove them before they are leaked.
The tool runs on a local filesystem, meaning that it can be executed at any time to scan local files. It can also be integrated into development mechanisms to perform automated scheduled scans.
“The tool is intended to be used directly by dev teams in a CI/CD pipeline, to manage the remediation process for this issue by alerting the team when credentials are present in the code, so that the team can immediately fix issues as they arise,” NCC Group explains.
Written in Python, the script has no external dependencies and can be executed with parameters, to identify usernames, emails addresses, and the like, in addition to passwords and keys. Otherwise, it would only scan for known passwords.
The Code Credential Scanner is meant to be language agnostic, can work on any codebase to reduce false positives, and provides multiple methods of addressing issues.
In addition to the scanner, NCC Group has introduced CowCloud, an open source tool that can help pentesters and other technical teams distribute workloads across AWS.
Initially meant to execute recon tools and vulnerability scans in a distributed manner, CowCloud can be used to create and view tasks fed to Python code running on worker nodes, but also to install and run commercial tools.
According to NCC Group, the tool can also be used for baselining security testing, for distributed password cracking in AWS, and for centralized tool access and management.
Related: Google Releases Open Source Bazel Plugin for Container Image Security
Related: Satori Releases Open Source Data Permissions Scanner for Enterprises
Related: ‘Badsecrets’ Open Source Tool Detects Secrets in Many Web Frameworks