HashiCorp Cloud Platform
What is HCP Vault Radar
HCP Vault Radar automates the detection and identification of unmanaged secrets in your code so that teams can take appropriate actions to remediate issues.
It scans for the following types of information:
- Secrets
- Personally identifiable information (PII)
- Non-inclusive language (NIL)
Once the scanning completes, the detected risks in your code are displayed by categories and risks.
In this tutorial, you will learn about HCP Vault Radar through the lens of HashiCups and their engineering teams attempts to eliminate sensitive data in their source code.
Scenario introduction
HashiCups produces and sells its coffee cups at both retail locations and through its online store. They support both a web application and mobile application. The team at HashiCups is concerned about leaking secrets such as usernames and passwords, and API keys in their source code.
The CTO and CISO have presented the following business and technical requirements to the engineering teams:
- All source code must be free of sensitive data
- Any time sensitive data is detected, teams must be notified
- Scans for leaked secrets must occur at multiple stages of the software development life cycle
- Any potential solution can not store HashiCups owned source code
The team has several groups who will collaborate on the review of, and implementation of the selected solution(s).
Click on each tab to learn more about the teams and their responsibilities.
Alice leads the engineering architect team. The architect team is tasked with:
- Understand system, resource, and connectivity requirements for all users and applications.
- Identify supported services within the solution that other users, and systems will use to authenticate.
- Compare and contrast features and functions available in any proposed solution.
- Design implementation process, including support for high availability, disaster recovery, observability, and support runbooks.
- Create as-built documentation to hand off to other teams.
HashiCups has brought in HashiCorp to see how they can help achieve the goals set by the CISO and CTO.
What is secrets scanning
Secrets scanning is a process that allows you to find and identify secrets and other sensitive data hidden in source code or other locations such as documentation. With the correct tools, secret scanning functionality helps deliver secure code without compromising speed or innovation.
Having the ability to scan for secrets and other sensitive data will help HashiCups protect its customers, limit the potential for breaches due to leaked credentials, as well as the company's reputation as one that prioritizes security.
HCP Vault Radar provides a Software-as-a-Service (SaaS) solution for scanning cloud native services as well as a command-line (CLI) tool for scanning on-premises systems for sensitive data.
HCP Vault Radar concepts
Before diving in to how HCP Vault Radar works, there are several key concepts that the teams at HashiCups would like to understand.
Data sources
Danielle, who leads the development team, has asked how and when their source code will be scanned.
Through the HCP Portal you can connect HCP Vault Radar to GitHub, GitLab, Bitbucket, Azure DevOps, and Gerrit.
Both cloud-based and on-premises data sources are supported. On-premises data sources must be publicly accessible when used with the HCP Vault Radar SaaS scanner. For data sources scanned using the CLI, on-premises systems do not need to be publicly accessible.
The HCP Vault Radar CLI supports additional data sources such as local system files and directories, Docker, Amazon S3, and Terraform Enterprise.
Danielle has asked how they can achieve one of the goals set by the CISO and CTO
- being able to scan for sensitive data throughout the SDLC.
HCP Vault Radar can also scan for sensitive data throughout the SDLC, such as when new branches are pushed to its source repository, or when pull requests are opened.
Types of sensitive data
Steve from the SRE team would like to understand what types of sensitive data can be stored. Is it just passwords and keys?
HCP Vault Radar can natively scan for multiple formats of sensitive data, including:
- Secrets such as usernames, passwords, and keys.
- Personally identifiable information (PII) such as social security, or credit card numbers.
- Non-inclusive language(NIL) such as race or gender attributes.
Beyond the supported patterns that HCP Vault Radar can scan for, HashiCups can also create their own custom regular expressions (regex) to scan for sensitive data that may be specific to HashiCups such as product model numbers or financial information.
Integrations
Oliver points out that scanning for sensitive data is only one of the requirements. They would like to know how the operations and SecOps teams can be notified and triage alerts.
HCP Vault Radar is able to support one of the requirements set by the HashiCups CISO and CTO, however they still require the ability to create alerts and open support tickets if sensitive data is discovered.
HashiCups can configure alerts for sensitive data found by HCP Vault Radar using native integrations for PagerDuty, Slack, and Splunk.
You can configure multiple alert integrations to match your existing processes. For example, you can enable the Microsoft Teams or Slack integration for real time notifications, and also enable the PagerDuty integration to follow your defined escalations until the alert is resolved.
HashiCups can also use the ticketing integrations to open a ticket in Jira or ServiceNow, allowing the incident to be tracked through to the incident's conclusion.
How HCP Vault Radar works
The team thus far is excited about the possibilities of HCP Vault Radar, however Alice from the architecture team would like more detail on what happens with HashiCups source code when secrets are detected.
The first step to set up HCP Vault Radar is to connect a supported source code management (SCM) system. Once set up, the HCP Vault Radar scanning engine reviews the selected repositories, including available branches for sensitive data.
No source code or sensitive data is sent back to HCP Vault Radar. Instead, a two-phase hash or peppering is performed so HCP Vault Radar can identify if the sensitive data exists in multiple locations. This hash is then tokenized and returns a universally unique identifier (UUID) that is stored in the HashiCorp Cloud Platform.
The generated UUID, the commit hash, and the line number where the sensitive data was found are available in the HCP Portal.
HashiCorp demos the set up for HashiCups.
Next steps
Limited availability
HCP Vault Radar is currently available through a limited availability release program.
To follow the steps in the next tutorial, you must have access to HCP Vault Radar though your account management team.
In the next tutorial, the engineering teams at HashiCups will collaborate to implement a proof-of-concept deployment of HCP Vault Radar.
The POC will demonstrate:
- Scan the origination's GitHub repositories to detect unmanaged secrets
- Integrated with PagerDuty to receive security incidents from Vault Radar
- Set up a ticket automation using Jira