Secure non-human access to engineering environments
A new type of supply chain attacks is taking advantage of machine identities, access keys and tokens connecting internal and third-party cloud services to engineering environments. Astrix helps AppSec teams secure all access keys and tokens, both internal and external.
“Software supply chain attacks have added a new dimension to software security problems because the software delivery pipelines and the tools used to build and deploy software are the new attack vectors.”
“Astrix helps us to deal with a growing challenge – tracking the lifecycle and the behavior of a token, especially when provided to a third-party. Astrix creates unprecedented visibility and changes the game for us”
The vast scope of ungoverned non-human access
According to Astrix Research
Dev teams create around 20-30 new personal access tokens and SSH keys in GitHub organizations every week
In a typical GitHub environment approximately 1 of 4 tokens (PAT and SSH keys) is not in use and can be safely removed without impacting the business
1 in 5 users in a Snowflake production environment is in fact a service account
Vaults, IAM or AppSec solutions won’t do
Secret managers (Vaults)
Vaults tell you what happens inside your vault, we also tell you what happens outside them: Have all your secrets been properly stored in the vaults? Were secrets copied before they were stored? Was a secret leaked?
Secret scanners only detect secrets, without any context. We help you understand whether the secrets are valid, if they’re being used and what permissions they have – so you can prioritize risk and quickly improve your posture.
While these tools secure misconfigurations inside your IaaS environments, we give you visibility and context for known or unknown connections with external cloud services.
Tools like CASB, MFA and SSO only secure user access. We help you secure non-human identities and access tokens.
Third-party non-human access
Employees regularly connect third-party services to core engineering environments like GitHub, GitLab, AWS and BigQuery to improve productivity. These shadow non-human connections are done via API keys, service accounts, webhooks, OAuth tokens, or SSH keys, which are often created with wide permissions and unlimited, permanent access. Many of these are never revoked even after users are finished with the connected service.