• Goa 2020
  • AMMO
  • Talisman

Talisman

Suhas-Vishwanath

Tool Name:

Talisman

Speaker:

Suhas Vishwanath

Download Link:

https://github.com/thoughtworks/talisman



Abstract:

Talisman is an open source tool created by Thoughtworks, that installs a hook to your repository to ensure that potential secrets or sensitive information do not leave the developer's workstation. It validates the outgoing changeset for things that look suspicious - such as potential SSH keys, authorization tokens, private keys etc. It supports MAC OSX, Linux and Windows. Talisman can be installed as pre-commit hook or a pre-push hook. Talisman, sits on your machine’s home (or a parent location of your choice where you keep all your git repositories) as a git hook, so that you can install it once and have Talisman taking care of secrets being accidentally pushed to VCS from your existing or new git repositories. Once installed, Talisman’s auto update mechanism takes care of updating new features to the installation whenever there is a new release of Talisman.

Talisman CLI support

Above, we figured out how Talisman prevents sensitive information leaving developer’s or QA’s machine and getting checked in to VCS. Which works perfectly for any new repositories that you create. Now, what about the secrets that were already checked in to an existing repository? How do you look at the complete git history and find out secrets which were accidentally checked in before and remove them? Talisman also supports a CLI tool as well which you can run from your repo and find out existing secrets in a git repository. Here’s how you can use the Git History Scanner support of Talisman CLI and potentially you can add it to your CI/CD pipeline to make secret scanning a part of your deployment process.

Bio:

Suhas is a Senior Developer in Thoughtworks. He has worked with core Ruby, Ruby on Rails, Golang and Java for creating software solutions, worked with Docker, Ansible for orchestrating and building infrastructure. He has also worked on public clouds for maintaining infrastructure like Openstack, AWS etc. He developed an interest in security when he faced security issues and their consequences while working on delivery projects. He has been working towards making sure that security is an integrated part of delivery. He believes that the responsibility of the team while developing a software is not limited to creating a quality product but also to address security aspects. Apart from day to day delivery, he is also one of the core contributors and maintainers of Talisman, a tool focused on preventing secrets leakage via source code. 

Copyright © 2019-20 | Nullcon India | International Security Conference | All Rights Reserved