Security Architecture
How do you protect credentials (usernames/passwords) stored in NightVision scans?
Section titled “How do you protect credentials (usernames/passwords) stored in NightVision scans?”When the authentication sequence is recorded, we assume all user-supplied values are secrets - like usernames and passwords. Upon upload, we remove these values from the authentication script and store them securely in our isolated secrets service. The secrets are encrypted at-rest with Customer-Managed KMS Keys. Every time a secret is accessed, it is logged in the audit trail. Those secrets are only retrieved when a scan is initiated and need to be replayed for the scan. Authentication happens via API Gateway and IAM Role integration. Access is determined via least privilege IAM roles and authenticated via API Gateway. The secret service is in a dedicated AWS account with limited administrator access that is only used in break-glass scenarios. When one of the two authorized users logs into the dedicated AWS account, we receive a Slack alert immediately in our break-glass access events channel.
As a best practice, customers should use test user credentials for running DAST scans, not their corporate or sensitive credentials. Security is our #1 job, and we take the storage of all customer data and credentials seriously.