Use Case: AppSec

Secure non-human access to engineering environments

A new type of supply chain attacks is taking advantage of machine identities, access keys and tokens connecting internal and third-party cloud services to engineering environments. Astrix helps AppSec teams secure all access keys and tokens, both internal and external. 

“Software supply chain attacks have added a new dimension to software security problems because the software delivery pipelines and the tools used to build and deploy software are the new attack vectors.”

NOT JUST CODE VULNERABILITIES

The overlooked cause of software supply chain attacks

Existing AppSec solutions are focused on securing code and DevOps pipelines. However, attackers are increasingly penetrating engineering ecosystems through ungoverned programmable access – non-human connections done through secrets, service accounts, and tokens.

Slack

Threat actors gained access to Slack’s externally hosted GitHub repositories via a “limited” number of stolen Slack employee tokens.

Circleci

Following a breach, CircleCI urge their customers to rotate all secrets, and API keys.

GitHub

Repos from deprecated GitHub organizations were cloned by a compromised Personal Access Token (PAT) and then used to access sensitive information.

“Astrix helps us to deal with a growing challenge – tracking the lifecycle and the behavior of a token, especially when provided to a third-party. Astrix creates unprecedented visibility and changes the game for us”

CISO, REIT S&P 500 Company

The vast scope of ungoverned non-human access

According to Astrix Research

Dev teams create around 20-30 new personal access tokens and SSH keys in GitHub organizations every week

In a typical GitHub environment approximately 1 of 4 tokens (PAT and SSH keys) is not in use and can be safely removed without impacting the business

1 in 5 users in a Snowflake production environment is in fact a service account

Vaults, IAM or AppSec solutions won’t do

Secret managers (Vaults)

Vaults tell you what happens inside your vault, we also tell you what happens outside them: Have all your secrets been properly stored in the vaults? Were secrets copied before they were stored? Was a secret leaked?

Secret scanners

Secret scanners only detect secrets, without any context. We help you understand whether the secrets are valid, if they’re being used and what permissions they have – so you can prioritize risk and quickly improve your posture.

CNAPP solutions

While these tools secure misconfigurations inside your IaaS environments, we give you visibility and context for known or unknown connections with external cloud services.

IAM solutions

Tools like CASB, MFA and SSO only secure user access. We help you secure non-human identities and access tokens.

How Astrix helps AppSec
leaders keep their app safe

COMPREHENSIVE SECRET SECURITY

See, contextualize and safeguard your secrets from creation to expiry

  • See exposed secrets across vaults and cloud environments.
  • Get the context you need about exposed secrets permissions, owner, leaker and related service connections. 
  • Get alerted on anomalous behavior that indicates a secret has been exploited.
  • Get prioritized remediation guidance for exposed secrets that put you at risk.
DISOVERY & POSTURE MANAGEMENT

Get the risk and business context you need to easily remediate over-privileged, unnecessary, and untrusted access

  • Misconfigured and over-permissive access.
  • Redundant apps, tokens, and keys of past employees and invalid applications.
  • Malicious third-party connections.
  • Dangerous practices, such as granting the same access keys to multiple services.
  • The business context of each connection, key and service account, so you can make smarter decisions without breaking anything.
ANOMALY & THREAT DETECTION

Detect & remediate suspicious non-human access in real-time through behavior analysis 

  • Access from a suspicious geo.
  • A service or secret that is using out of the ordinary permissions.
  • Unusual user agent.
  • Anomalous ISP.
COMPREHENSIVE SECRET SECURITY

See, contextualize and safeguard your secrets from creation to expiry

  • See exposed secrets across vaults and cloud environments.
  • Get the context you need about exposed secrets permissions, owner, leaker and related service connections. 
  • Get alerted on anomalous behavior that indicates a secret has been exploited.
  • Get prioritized remediation guidance for exposed secrets that put you at risk.
DISOVERY & POSTURE MANAGEMENT

Get the risk and business context you need to easily remediate over-privileged, unnecessary, and untrusted access

  • Misconfigured and over-permissive access.
  • Redundant apps, tokens, and keys of past employees and invalid applications.
  • Malicious third-party connections.
  • Dangerous practices, such as granting the same access keys to multiple services.
  • The business context of each connection, key and service account, so you can make smarter decisions without breaking anything.
ANOMALY & THREAT DETECTION

Detect & remediate suspicious non-human access in real-time through behavior analysis 

  • Access from a suspicious geo.
  • A service or secret that is using out of the ordinary permissions.
  • Unusual user agent.
  • Anomalous ISP.

Astrix mentioned in a Gartner report as a tool that addresses the need to secure access to machines and environments in the DevOps pipeline.

Two types of non-human access in engineering environments

Internal non-human access

R&D teams regularly generate ‘secrets’ – keys and tokens which allow machine access to resources, code and infrastructure – aka your most valuable intellectual property, and the vitality of your app. These keys are scattered across different secret managers, and regularly accessed by engineers that often unintentionally expose them (for debugging, for example). Security teams lack visibility into these keys and tokens – where they are, what they allow access to, what permissions they have.

Third-party non-human access

Employees regularly connect third-party services to core engineering environments like GitHub, GitLab, AWS and BigQuery to improve productivity. These shadow non-human connections are done via API keys, service accounts, webhooks, OAuth tokens, or SSH keys, which are often created with wide permissions and unlimited, permanent access. Many of these are never revoked even after users are finished with the connected service.

This site is using cookies for various purposes (analytics, marketing, user experience). You can read more in our privacy policy.

Request a demo

See how Astrix can help you take
control of your third-party integrations.



This will close in 0 seconds

Contact us



This will close in 0 seconds