WrongSecrets
7.8 WrongSecrets
OWASP WrongSecrets is a production status project and provides challenges focused on secrets management using an intentionally vulnerable application and environment. The project offers standalone and Capture-the-flag modes, with a demo on Heroku.
What is WrongSecrets?
WrongSecrets goals are to:
- Educate on secret management and its pitfalls
- Help people reflect on their secrets management strategy
- Promote secrets management as an important facet of security
The project provides challenges around secrets management across several layers:
- A Spring Boot Java application
- Application configuration
- Docker
- Kubernetes
- Vault
- AWS, GCP, or Azure
- Binaries / Reverse engineering
Scenarios vary in difficulty, and you can solve some of them just by using the browser on your mobile phone. For others, you would need knowledge of cloud security or reverse engineering tools and cryptography.
Why use it?
If you, your team or your organization want to learn about secrets management and potential pitfalls, you can do so with WrongSecrets’ challenges.
Alternatively you can use WrongSecrets as a testbed/benchmark for testing secret detector tools; the tool should be able to detect the secrets wrongly managed in the WrongSecrets applications.
How to use it
The demo is availble on Heroku.
You can set WrongSecrets up in standalone or in capture the flag (CTF) mode on Docker, Kubernetes, AWS, GCP or Azure. Set-up guides for the standalone version are available in the project README.
For the setting up a CTF project, WrongSecrets provides the set-up guides and an example Helm chart.
References
- OWASP WrongSecrets
- Secure Cloud Architecture cheat sheet
- WrongSecrets demo
The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.
\newpage