Given a short assessment timeline and the need to identify hard-coded credentials in a large codebase, using an automated tool designed for this specific purpose is the most effective approach. Here’s an explanation of each option:
Run TruffleHog against a local clone of the application (Answer: A):
Explanation: TruffleHog is a specialized tool that scans for hard-coded secrets such as passwords, API keys, and other sensitive data within the code repositories.
Effectiveness: It quickly and automatically identifies potential credentials and other sensitive information across thousands of files, making it the most efficient choice under time constraints.
[References:, TruffleHog is widely recognized for its ability to uncover hidden secrets in code repositories, making it a valuable tool for penetration testers., Scan the live web application using Nikto (Option B):, Explanation: Nikto is a web server scanner that identifies vulnerabilities in web applications., Drawbacks: It is not designed to scan source code for hard-coded credentials. Instead, it focuses on web application vulnerabilities such as outdated software and misconfigurations., Perform a manual code review of the Git repository (Option C):, Explanation: Manually reviewing code can be thorough but is extremely time-consuming, especially with thousands of files., Drawbacks: Given the short timeline, this approach is impractical and inefficient for identifying hard-coded credentials quickly., Use SCA software to scan the application source code (Option D):, Explanation: Software Composition Analysis (SCA) tools are used to analyze open source and third-party components within the code for vulnerabilities and license compliance., Drawbacks: While SCA tools are useful for dependency analysis, they are not specifically tailored for finding hard-coded credentials., Conclusion: Running TruffleHog against a local clone of the application is the most effective approach for quickly identifying hard-coded credentials in a large codebase within a limited timeframe., , , , ]
Submit