Loading…
BSidesSF 2018 has ended
View analytic
Sunday, April 15 • 4:50pm - 5:20pm
Fighting Secrets In Source Code With TruffleHog

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.
Secrets in source code have lead to breaches in the past. They make it really easy to move laterally and escalate privileges once inside an environment, and it's a problem the entire industry faces. I'm going to talk about the tool I wrote to help identify secrets: TruffleHog. I'll be talking about different ways to use the tool, how it can be used in devops pipelines, and the future of the tool going forward. I'll also talk about a new type of problem I don't think anyone has looked at before: Secrets in old packages. I've tweaked truffleHog to scan package managers like npm and pypi, and found tons of secrets accidentally uploaded to the package manager, that weren't ever even in the git history. I'll be releasing the tweaked version of truffleHog and walk through how to use it, and why we need to pay more attention to this problem.

Presenters
DA

Dylan Ayrey

Senior Security Engineer, Salesforce
I'm a senior security engineer at Salesforce, and I wrote and maintain truffleHog: a tool designed to extract secrets from source code.


Sunday April 15, 2018 4:50pm - 5:20pm
AMC - Theatre 7