Secret management is critical for an organisation's application development and deployment life cycle, yet organisations do not place the necessary focus and awareness among their developer community. As a result, poor or weak secret management practices have led to several high-profile breaches over the years. In this post, I'll explore a gamified approach for raising awareness and building good security hygiene muscle for secret management within organisations.
What is OWASP WrongSecrets?
OWASP WrongSecrets is an open-source intentionally vulnerable web application focused on secret management hygiene. It is designed to help developers and security professionals better understand the risks associated with poor or weak secret management practices. It can be used in security trainings, awareness demos, capture-the-flag events, testing secret detection tools, and honing your web application security skills in general.
WrongSecrets has 35 challenges spanning Docker, Kubernetes, Vault and the public cloud providers (AWS, GCP, Azure). Each challenge focuses on a common secret management best practice, solving which helps you progress in the game. If, for some reason, you are unable to install the recommended tools for secret hunting locally, try the WrongSecrets desktop environment.
WrongSecrets can also be used for capture-the-flag (CTF) competitions. OWASP WrongSecrets CTF Party is a fork and adaptation of OWASP MultiJuicer, which was originally developed to allow CTF events for OWASP Juice Shop. WrongSecrets CTF Party can be deployed on any Kubernetes setup that allows multiple namespaces, as well as on AWS, GCP or Azure by using Terraform.
Deploy OWASP WrongSecrets on Railway
In this post, we'll self-host OWASP WrongSecrets on Railway, a modern app hosting platform that makes it easy to deploy production-ready apps quickly. If you don't already have an account, sign up using GitHub, and click
Authorize Railway App when redirected. Review and agree to Railway's Terms of Service and Fair Use Policy if prompted. Railway does not offer an always-free plan anymore, but the free trial is good enough to try this. Launch the OWASP WrongSecrets one-click starter template (or click the button below) to deploy it instantly on Railway.
We're using the
latest-no-vault Docker image for deployment; review the default settings and click
Deploy; the deployment will kick off immediately.
Once the deployment completes, OWASP WrongSecrets will be available at a default
xxx.up.railway.app domain - launch this URL to access the web interface. If you are interested in setting up a custom domain, I covered it at length in a previous post - see the final section here. Instead of Railway, if you prefer self-hosting on Render instead, click the button below to deploy.
Test Your Secret Management Skills
Once you launch the web interface, you'll see the Home dashboard with a list of challenges to be completed. Since we did not use Kubernetes or the public cloud providers, some of the challenges are not available. Click on each available challenge, review and complete it, and see your progress update here.
The challenges span across multiple difficult levels and cover a wide variety of secret management best practices, including:
- Hardcoded passwords
- Kubernetes and Vault secrets
- Docker image configuration
- Logging of sensitive data
- Git repository commits
- CI/CD pipeline security
- Smart contract security
- Bash history