Wanna know a secret? Ask a developer
Secrets are not just login credentials and personal data; they securely hold together the components of the modern software supply chain, from code to the cloud. And because of the leverage they provide they are much sought-after by hackers.
However, many breaches that occurred in 2022 show how inadequate the protection of secrets is. Research from automated detection specialist GitGuardian finds that one in 10 code authors exposed a secret in 2022.
In just one example, in September 2022 an attacker breached Uber and used hard-coded admin credentials to log into Thycotic, the firm's Privileged Access Management platform. This enabled them to achieve a full account takeover on several internal tools and productivity applications.
More than 80 percent of all the secrets caught by live monitoring on GitHub are exposed through developers' personal repositories, and a large share of them are, in fact, corporate secrets. There are a number of reasons to explain why this happens. Of course, malicious behavior may be a factor, including hijacking corporate resources and other shady motives. But the sheer scale of the phenomenon hints at something else most of this happens because of human error and misconfiguration.
"If a colleague in security said to me that secrets detection is not a priority, I would say that's a mistake," says Theo Cusnir, application security engineer at PayFit. "Most of the big security problems come from either social engineering attacks or credential stuffing. So, it's really important to know that your engineers and your employees are going to leak secrets. That's life. Most of the time, it's due to mistakes. But if it happens, we need to act on it. The more engineers there are, the more there is potential for leaks to happen."
Like many other security challenges, poor secrets hygiene involves a combination of people, processes, and tools. Organizations serious about taming secrets sprawl must work simultaneously on all these fronts.
"Our mission is to secure code and the SDLC. We want to do it with a transparent, simple and pragmatic approach starting first with one of the most important issue in appsec: secrets in code," says Eric Fourrier, GitGuardian's CEO.
You can get the full State of Secrets Sprawl 2023 report on the GitGuardian site and there will be a webinar to discuss the findings on March 22 at 11am ET.
Image credit: Dean Drobot / Shutterstock