How to remove sensitive data from code and access Workspace ONE API's more securely (part 1)

Organizations that use custom built tools to access API's can approach this in a variety of ways. It is not uncommon to find tools developed with sensitive data contained within the source code itself. PowerShell scripts are a great example of where we can find sensitive data leaking. These scripts come with the best of intentions, but can accidentally contain the keys to the kingdom. We’ll look at how I use a config.ini file to access a funny environment we’ll call https://Kauai.ryanpringnitz.com, but before we proceed, cue the mood boosting visuals...



Storing sensitive data in code makes it difficult to commit code to a source version control system Bitbucket, GitHub, TFS, etc), as it would be insecure. It can even be against company policy to store sensitive data this way. By storing the sensitive information in a config.ini file; you can more easily present the code in a screen sharing session (maybe in a sprint demo), or commit your code to remote a repository. 

 Examples of sensitive data found in custom tools include, but are not limited to;

  • Hostname
  • FQDN 
  • API Key
  • Plain Text Credential
  • Base64 Encoded Credential
  • UNC File Share

Let's take a look at what is commonly seen in the code of a custom built tool, that could be more securely implemented:

To improve on this; we can create a config.ini file that our code references. This removes the sensitive information previously stored in the script itself, and stores it in a config.ini file.

 So, what does the config.ini file look like?




The config.ini file needs to be tailored to your environment. For example; line 11 contains the URL that can respond to API calls. Line 16 contains the base64encoded credentials. Line 17 contains the API key with proper scope for the environment. Finally, line 28 references the path where files can be stored for logging. Note, due to regex and how backslashes are parsed; you will have to use two backslash instead 

 Let's rewrite that PowerShell code used above, and see how we to remove this sensitive data from the script using the config.ini file. Line 7 and 8 are going to get the location of the config.ini file.
Line 8, we store the contents of the config.ini file in the $WS1Env variable. This variable is an object that can be used in the script. For example, the URL of the environment is no longer exposed in plain text in the script. We have hidden the base64 encoded credentials, API key, and log path. This is accomplished by replacing sensitive data in the code with data obtained in the objects properties (e.g. $WS1Env.UATapikey )

 To further improve the script and how it communicates with remote REST Endpoints, on line 3 and 4, communication is forced to use the TLS 1.2 cipher suite. 

 We can take this one step further, and apply ACL's to the config.ini file to restrict access to approved users only. For instance, you could remove read access to the config.ini file, then grant read access only to a service account. To further secure access to the config.ini file, the service account could be enrolled in a privileged access management product

 Mahalo,
Ryan Pringnitz
Location: Princeville, HI, USA

Comments

Post a Comment

Popular posts from this blog

Delivering Managed Configurations (key/value pairs) to Android applications with Workspace ONE UEM profiles

Image
Applications often have secrets that should not be hardcoded in the source code. This poses a challenge for developers, as ProGuard can change classes and method names, it won't help with secrets. Examples of secrets that can be removed from application source code include an API key or a OAuth refresh token. Another capability is for the MDM to dynamically deliver values to the application, such as the current logged in user, device serial number, or organization group. Google has made it more challenging to access non-resettable device identifiers like the serial number in recent years, and this remains a viable solution to provide non-resettable device identifiers (and other values) to applications running on the device. So how do we do it? Workspace ONE UEM can deliver profiles to devices. Profiles can configure a number of settings, in addition to delivering key/value pairs to your applications.  Google refers to these key/value pairs as Managed Configurations, aka application
Read more

How to use Square's OkHttp Java library to access Workspace ONE UEM API's

Image
Digital workspace solutions often require consuming other services. When doing so, you may work with things like; REST API endpoints, Webhooks, gRPC, GraphQL - the list goes on. You can interact with these in a number of ways, but one way I've come to appreciate is with Java. It has been especially helpful when I've wanted to work with libraries like Appium, Selenium, OKHttp, or the Workspace ONE UEM SDK in a workflow. With that, I thought it would be helpful to share how to work with Workspace ONE UEM API's using Java. In this blog post, we will cover; Basics of JetBrain's IntelliJ IDE, touching on Apache Maven Using  Square's OkHttp   library  to call Workspace ONE UEM API's Why Java? Java is used by many and supported by most (Docker, Kubernetes, static code analysis tools, cloud service providers, Android, Windows, macOS, Tanzu Application Service, etc). Many languages compile to j ava
Read more

How to use Powershell with the Workspace ONE UEM API to search for users

Image
Using API's has been infinitely helpful in integrating Workspace ONE UEM with other enterprise services and applications. A question was asked recently about forming the correct HTTP header using Powershell, and returning the users in the users. Below is an example Powershell script I was able to create for this example. Make sure to include base64 encoded credentials in a folder (c:\creds\b64.txt in the example), and to update the $apiKey variable with an API key. #Workspace ONE UEM Environment Address / Authentication  $addy   =   "https://ws1.molokaibank.com" $b64   =   Get-Content   -Path   "c:\creds\b64.txt" $apiKey   =   "apikey" $b64EncodedAuth   =   " $b64 " # Header $content   =   "application/json"   $authHeader   =   "Basic "   +   $b64EncodedAuth $header   =  @{ "Authorization"   =   $authHeader ;  "aw-tenant-code"   =   $apiKey ;  "Accept"   =   $content ; 
Read more