Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Application Security

NCC Group Releases Open Source Tools for Developers, Pentesters

NCC Group announces new open source tools for finding hardcoded credentials and for distributing cloud workloads.

Cybersecurity firm NCC Group has released new open source tools that can be useful to application developers and penetration testers.

The first, named Code Credential Scanner (css), can be used by developers to scan configuration files in a repository to detect any stored credentials and remove them before they are leaked.

The tool runs on a local filesystem, meaning that it can be executed at any time to scan local files. It can also be integrated into development mechanisms to perform automated scheduled scans.

“The tool is intended to be used directly by dev teams in a CI/CD pipeline, to manage the remediation process for this issue by alerting the team when credentials are present in the code, so that the team can immediately fix issues as they arise,” NCC Group explains.

Written in Python, the script has no external dependencies and can be executed with parameters, to identify usernames, emails addresses, and the like, in addition to passwords and keys. Otherwise, it would only scan for known passwords.

The Code Credential Scanner is meant to be language agnostic, can work on any codebase to reduce false positives, and provides multiple methods of addressing issues.

In addition to the scanner, NCC Group has introduced CowCloud, an open source tool that can help pentesters and other technical teams distribute workloads across AWS.

Advertisement. Scroll to continue reading.

Initially meant to execute recon tools and vulnerability scans in a distributed manner, CowCloud can be used to create and view tasks fed to Python code running on worker nodes, but also to install and run commercial tools.

According to NCC Group, the tool can also be used for baselining security testing, for distributed password cracking in AWS, and for centralized tool access and management.

Related: Google Releases Open Source Bazel Plugin for Container Image Security

Related: Satori Releases Open Source Data Permissions Scanner for Enterprises

Related: ‘Badsecrets’ Open Source Tool Detects Secrets in Many Web Frameworks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.