Microsoft has released a public preview of security to help Azure developers avoid posting private keys and other security secrets in public repositories on GitHub.
Developers have been caught on numerousoccasions committing this security blunder, potentially giving access to online storage and application databases. A researcher last year also published a tool for sniffing out secret keys called TruggleHog, which could make it easier for attackers to find these secrets.
According to Microsoft, customers who expose passwords, private keys, database connection strings, and storage account keys managed in Azure are putting their applications and services at "significant risk".
An attacker could use the details to compromise an Azure subscription and lump developers with unwanted bills, or steal and modify assets stored in the cloud or on-premise.
To prevent this situation from happening, Azure runs CredScan to monitor all incoming commits on GitHub. It also "checks for specific Azure tenant secrets such as Azure subscription management certificates and Azure SQL connection strings", Microsoft said.
Microsoft has been using CredScan to protect Azure and its own services and applications. The scan currently doesn't check for all secrets, but Microsoft is planning on adding more types of data to the scanning service.
The service is automatically enabled for Azure subscription owners who will be notified in an email from Microsoft's Cyber Defense Operation Center (CDOC) if CredScan detects an exposed secret.
The email details which commits have been flagged, affected subscriptions and assets, the secret type and advice how to fix the problem.
Microsoft advises that anyone who receives a notification should check past commits and commit history to ensure they don't also contain exposed credentials.
Microsoft says it's already notified thousands of customers since introducing the scan, so clearly the error is not uncommon.
And the company reminds Azure developers that merely removing a published secret won't fix the problem since the secret could have already been nabbed. Hence, they should revoke the key or credential to resolve the issue.
Microsoft is also developing a tool called CredScan Code Analyzer, which detects potential secrets in code and encourages developers to move them to secure locations.