Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

NCC Group Releases Open Source Tools for Developers, Pentesters

NCC Group announces new open source tools for finding hardcoded credentials and for distributing cloud workloads.

Cybersecurity firm NCC Group has released new open source tools that can be useful to application developers and penetration testers.

The first, named Code Credential Scanner (css), can be used by developers to scan configuration files in a repository to detect any stored credentials and remove them before they are leaked.

The tool runs on a local filesystem, meaning that it can be executed at any time to scan local files. It can also be integrated into development mechanisms to perform automated scheduled scans.

“The tool is intended to be used directly by dev teams in a CI/CD pipeline, to manage the remediation process for this issue by alerting the team when credentials are present in the code, so that the team can immediately fix issues as they arise,” NCC Group explains.

Written in Python, the script has no external dependencies and can be executed with parameters, to identify usernames, emails addresses, and the like, in addition to passwords and keys. Otherwise, it would only scan for known passwords.

The Code Credential Scanner is meant to be language agnostic, can work on any codebase to reduce false positives, and provides multiple methods of addressing issues.

In addition to the scanner, NCC Group has introduced CowCloud, an open source tool that can help pentesters and other technical teams distribute workloads across AWS.

Initially meant to execute recon tools and vulnerability scans in a distributed manner, CowCloud can be used to create and view tasks fed to Python code running on worker nodes, but also to install and run commercial tools.

Advertisement. Scroll to continue reading.

According to NCC Group, the tool can also be used for baselining security testing, for distributed password cracking in AWS, and for centralized tool access and management.

Related: Google Releases Open Source Bazel Plugin for Container Image Security

Related: Satori Releases Open Source Data Permissions Scanner for Enterprises

Related: ‘Badsecrets’ Open Source Tool Detects Secrets in Many Web Frameworks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.