Fix secrets management OWASP using OpenSCAP: A Step-by-Step Guide

Fix OWASP Secrets Management Issues Using OpenSCAP: Step-by-Step Guide

Introduction

Secrets management is a critical component of application security, and the OWASP Top 10 2021 highlights multiple risks tied to poor secrets handling: A02 (Cryptographic Failures) includes hard-coded secrets, while A05 (Security Misconfiguration) covers exposed credentials in configuration files. Left unaddressed, these flaws can lead to data breaches, unauthorized access, and compliance violations.

OpenSCAP is an open-source framework for implementing the Security Content Automation Protocol (SCAP), enabling automated compliance checks, vulnerability scanning, and configuration auditing. This guide walks you through using OpenSCAP to identify and remediate OWASP-aligned secrets management issues across systems, containers, and application configurations.

Prerequisites

• A Linux system (RHEL 8+, CentOS Stream 8+, Ubuntu 22.04+, or Fedora 36+) with sudo/root access
• OpenSCAP base packages and SCAP security content installed
• Basic familiarity with command-line operations and OWASP security concepts

Step 1: Install OpenSCAP and Dependencies

First, install the required OpenSCAP packages for your distribution:

RHEL/CentOS Stream/Fedora

sudo dnf install -y openscap-utils scap-security-guide

Ubuntu/Debian

sudo apt update && sudo apt install -y libopenscap8 openscap-utils scap-security-guide

Verify the installation by running oscap --version — you should see the OpenSCAP version and supported SCAP standards.

Step 2: Obtain OWASP-Aligned SCAP Content

OpenSCAP uses SCAP content (XCCDF, OVAL, CPE dictionaries) to define compliance checks. For OWASP secrets management, you can use two approaches:

• Pre-built OWASP ASVS Content: Download OWASP Application Security Verification Standard (ASVS) SCAP content from the OpenSCAP Content Repository, which includes checks for V8 (Data Protection) and V12 (File and Data Integrity) controls tied to secrets management.
• Custom OVAL Checks: Create custom OVAL definitions for common OWASP secrets issues, such as hard-coded API keys, world-readable .env files, or unencrypted secrets in configuration stores. Example OVAL checks are available in the OpenSCAP documentation.

Save the SCAP content to /usr/share/xml/scap/owasp-secrets/ for easy access.

Step 3: Configure OpenSCAP Scan Profile

Create a custom XCCDF profile to include only secrets management checks, reducing scan noise. You can either modify an existing profile (e.g., CIS Level 1) to disable non-secrets rules, or create a new profile referencing your OWASP-aligned checks.

For example, to use the pre-built CIS profile (which includes secrets-related checks), reference the default scap-security-guide content:

SCAP_CONTENT='/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml'
PROFILE='xccdf_org.ssgproject.content_profile_cis_server_l1'

For custom OWASP content, set SCAP_CONTENT to your OWASP XCCDF file path and PROFILE to the ID of your custom profile.

Step 4: Run Initial Secrets Management Scan

Execute the OpenSCAP scan using the oscap xccdf eval command, specifying your content path, profile, and output file for results:

sudo oscap xccdf eval \
--profile $PROFILE \
--results /var/log/oscap/owasp-secrets-initial-results.xml \
--report /var/log/oscap/owasp-secrets-initial-report.html \
$SCAP_CONTENT

This generates an XML results file and a human-readable HTML report. To scan container images, use the oscap-docker utility:

sudo oscap-docker image-cve my-app:latest --results container-secrets-results.xml

Step 5: Analyze Scan Results

Open the HTML report in a web browser to review failing checks. Common OWASP-aligned failures include:

• Hard-coded secrets in application configuration files
• World-readable or world-writable .env files
• Unencrypted secrets stored in environment variables
• Secrets transmitted over unencrypted protocols (HTTP, FTP)
• Missing encryption for secrets at rest in databases or config stores

Each failing rule includes a description, OWASP mapping, and remediation guidance.

Step 6: Remediate Identified Issues

Follow the remediation steps provided in the scan report for each failing check:

• Hard-coded secrets: Replace with references to a secrets manager (e.g., HashiCorp Vault, AWS Secrets Manager) or secure environment variables.
• Exposed .env files: Run chmod 600 /path/to/.env to restrict permissions, and add .env to your .gitignore to prevent version control exposure.
• Unencrypted secrets: Implement AES-256 encryption for secrets at rest, and use TLS 1.2+ for all secret transmission.
• Misconfigured permissions: Use chown and chmod to enforce least-privilege access to secret stores.

Step 7: Automate Recurring Scans

Manual scans are insufficient for continuous compliance. Automate recurring scans using cron jobs or systemd timers:

Cron Job Example

# Run daily at 2 AM
0 2 * * * /usr/bin/oscap xccdf eval --profile $PROFILE --results /var/log/oscap/owasp-secrets-$(date +%F).xml $SCAP_CONTENT

CI/CD Integration

Add OpenSCAP scans to your Jenkins, GitLab CI, or GitHub Actions pipelines to catch secrets issues before deployment. Example GitLab CI snippet:

secrets-scan:
stage: test
script:
- oscap xccdf eval --profile owasp-secrets --results scan-results.xml /path/to/owasp-content.xml
- oscap xccdf generate report scan-results.xml > scan-report.html
artifacts:
paths: [scan-report.html, scan-results.xml]

Step 8: Validate Remediation

Re-run the OpenSCAP scan after applying fixes to confirm all checks pass. Generate a new report and verify that no high or critical severity failures remain. For custom checks, update your OVAL definitions as new OWASP guidance is released.

Conclusion

Using OpenSCAP to address OWASP secrets management issues provides automated, repeatable compliance checks that reduce human error and mitigate risk. By integrating scans into your CI/CD pipeline and scheduling recurring audits, you can maintain continuous adherence to OWASP standards and protect sensitive credentials from exposure.