10/27/2020 | Press release | Distributed by Public on 10/27/2020 09:59
Ever wished you could take back something you said? It's simply not possible. The same holds true for passwords or tokens that are inadvertently exposed (for example, in public GitHub repositories). However, if you detect such exposures automatically and react quickly, you can greatly reduce their impact.
Especially in enterprise-wide environments, it's challenging to centrally ensure that credentials are never exposed to unauthorized people. Credentials may, for example, be unintentionally exposed in log files, shared documents, and internal (or even external) source code repositories. Last year GitHub reported that they have identified one billion potential tokens committed to GitHub repositories in the first year of running their secret scanning service. Publicly exposed tokens present a particularly high risk because attackers can automatically find and abuse such tokens within minutes.
From the beginning, Dynatrace was developed with the highest level of security in mind. We're constantly enhancing Dynatrace security features. An automated detection or prevention mechanism is the only reliable and scalable way of ensuring the highest possible security. A prerequisite for using such an automated approach is a token format that is precisely identifiable and doesn't lead to false positives.
Therefore, we're happy to introduce a new Dynatrace token format that will help you automate the protection of tokens within your organization.
To allow for automated prevention mechanisms, Dynatrace is introducing a new and unique token format for our API tokens (see example below):
The tokens consist of three components separated by a dot.
|dt0c01||Unique prefix identifying a Dynatrace API token|
Public portion of token
This is a 24-character public identifier of the token. This value can be safely displayed in the UI and can be used for logging purposes.
Secret portion of token
This is a 64-character secret portion of the token, which can be treated like a password and therefore doesn't need to be displayed in the Dynatrace web UI (following initial creation) or stored in log files.
The new token format allows you to precisely match Dynatrace tokens using, for example, a regular expression:
The new token format provides several benefits:
Using pattern matching to find internal tokens gives you options for running automated security controls within your organization, such as (but not limited to):
Adopting the new token format will enable the GitHub secret scanning service to identify any token pushed to a public GitHub repository that matches the new Dynatrace API token format. Dynatrace has already begun working with GitHub to receive such information; we're currently looking into ways to automatically alert you in cases where an exposed Dynatrace token is detected by GitHub.
The change over to the new token format will be rolled out in two steps, giving you full control over their adoption.
Step 1: Option to configure new tokens using the new format
You can opt-in to the new token format to verify and ensure that your automation can handle the format change without any problems (this setting is turned Off by default). When you turn on the new token configuration setting, all new API tokens will be generated using the new format (existing tokens will continue to work).
Step 2: Tokens will be configured to use the new token format by default
With the rollout of Dynatrace version 1.210, this setting will be turned on by default (i.e., all newly generated tokens will use the new format). You'll still have the option to opt-out of the new token format for a limited period of time.
To further extend the automation around secure token handling, we plan to
So please stay tuned for upcoming announcements!
As always, we look forward to hearing your feedback at Dynatrace answers or via Dynatrace ONE in-product chat.