It might come as a surprise, but secrets management has become the elephant in the AppSec room. While security vulnerabilities like Common Vulnerabilities and Exposures (CVEs) often make headlines in the cybersecurity world, secrets management remains an overlooked issue that can have immediate and impactful consequences for corporate safety.
A recent study by GitGuardian found that 75% of IT decision-makers in the US and the UK reported at least one secret leaked from an application, with 60% causing issues for the company or employees. Shockingly, less than half of respondents (48%) were confident in their ability to protect application secrets “to a great extent.”
The study, named Voice of Practitioners: The State of Secrets in AppSec (available for free download here), provides a fresh perspective on managing secrets, which is often reduced to clichés that do not reflect the operational reality in engineering departments.
Despite their ubiquity in modern cloud and development operations, secrets remain a thorny issue even for the most mature organizations. The multiplication of the number of secrets being simultaneously in use within the development cycle makes it all too easy to fall off the control of sound security measures and “leak.”
Protecting Application Secrets#
When a secret has leaked, it is no longer a secret and is accessible to unauthorized systems or people for a certain duration. Leaks mainly occur internally because secrets get copied and pasted into configuration files, source code files, emails, messaging apps, and more. Critically, if a developer hardcodes secrets into their code or configuration files and the code is pushed to a GitHub repository, those secrets are also pushed. Another worst-case scenario arises when a malicious actor manages to put their hands on internally leaked credentials after initial access, similar to what happened last year to Uber.
The Voice of Practioners study evidences that the danger of exposed secrets is acknowledged by a vast majority of the respondents. Seventy-five percent of the respondents said that a secret leak happened in their organization in the past, and 60% acknowledged it caused serious issues for the company, employees, or both.
When asked about the key risk points within their software supply chains, 58% found “source code and repositories” as the core risk area, with 53% for “open source dependencies” and 47% for “hard-coded secrets.”
Nevertheless, the responses indicate a significant gap in maturity. Specifically, less than half of the respondents (48%) are confident in their ability to protect application secrets to a great extent:
Additionally, more than a quarter (27%) of the respondents admitted relying on manual code reviews to prevent secret leaks, which are notably ineffective at detecting hard-coded secrets.
Finally, the study also found that 53% of senior management (such as CSOs, CISOs, and VPs of cybersecurity) believe that secrets are shared in clear text through messaging apps.
Despite the challenges, there is hope for improvement. The study revealed that 94% of respondents plan to enhance their secrets practices in the next 12-18 months, which is a positive step towards better secrets management and corporate safety. However, it is worth noting that secrets detection and remediation, as well as secrets management, should be prioritized in terms of investment compared to other tools, such as runtime protection tools. While 38% of respondents plan to invest in runtime application protection tools, only 26% and 25%, respectively, plan to allocate funds for secrets detection and remediation and secret management.
A Comprehensive Secrets Management Program#
More and more secrets get leaked every year. GitGuardian monitors the yearly number of leaks on the number one code-sharing platform, GitHub, and publishes the results in its annual State of Secrets Sprawl report. Once again, the numbers are cause for alarm: from 3 million secrets detected in 2021, the number jumped 67% to 10 million in 2022. And this is just the tip of the iceberg. Most of the leaks happen within the corporate perimeter, which makes it very difficult to estimate a global figure.
To address this growing risk, companies need to strengthen their secrets management as a priority to harden their defenses.
In a recent interview with GitGuardian, Ubisoft’s former CISO Jason Haddix described how secrets management importance became obvious after the company was targeted by the Laspsus$ hacking gang in March 2022. After speaking with 40 other affected CISOs, he came up with a four-axis program to develop a comprehensive secrets management program:
- Detect: being able to find all past leaks requires an automated tool and is a critical step to gaining visibility into a company’s actual security posture.
- Prevent: save time for the future by preventing leaks as much as possible, with secure guardrails such as pre-commit hooks.
- Respond: secrets get leaked because they need to be shared. Having tools to store, share and rotate these secrets along with fine-grained access controls is also critical.
- Educate: having continued learning sessions about secrets, not just for developers but for all employees, ensures the risks associated with hard-coding secrets and passwords, as well as the best practices, are understood.
Conclusion #
The Voice of Practitioners study highlights the importance of a holistic secrets strategy in AppSec and provides valuable insights into the best practices for reducing the risks associated with secrets sprawl. Secrets management looks like a debt that compounds over time. If waiting for too long, the elephant in the room will eventually become too big to ignore, putting your organization at risk of serious consequences.
If you’re looking to improve your secrets management program, a simple step you can take right now is to request a free audit of your company’s secrets leaks on GitHub from GitGuardian. The automatic report you’ll receive will show you the number of active developers on GitHub, the number of secrets found exposed on GitHub’s repositories over time (categorized), and the percentage of valid secrets among them.
This will help you accurately determine your developer perimeter on GitHub, evaluate the order of magnitude of the risk your company is facing, and take the first step towards a comprehensive secrets management program.