The Increasing Threat of Secret Shift and the Need for Action
The most valuable assets in today’s information age are secrets guarded with lock and key. Unfortunately, keeping secrets is becoming more and more challenging, as The State Secrets Revealed in 2023 report, the largest analysis of public GitHub activity.
The report shows a An increase of 67% year over year in the number of secrets discovered, with 10 million hard-coded secrets detected in 2022 alone. This worrying spike highlights the covert spread need for action and underscores the importance of secure software development.
Sprawl secrets refer to secrets that appear in plain text in various sources, such as source code, build scripts, infrastructure as code, logs, etc. While secrets such as API tokens and private keys securely connect components of a modern software supply chain, their widespread distribution between developers, machines, applications, and infrastructure systems increases the likelihood of leaks.
Cybersecurity Incident Highlights Hard-Coded Secret Dangers
Two high-profile cybersecurity incidents involving Uber and Toyota have underscored the urgent need to address the issue of confidential distribution and prioritize code security. As awareness around this issue increases, companies must prioritize protecting secrets and investing in innovative solutions that detect and remediate potential threats.
Uber suffered an attack in which an attacker gained access to a critical system using hard-coded admin credentials found in a PowerShell script. Instead, Toyota inadvertently disclosed credentials that granted access to customer data in its public GitHub repository for almost five years. Both incidents serve as striking reminders of the risks associated with spreading secrets. Moreover, as the report points out, most security incidents involve, at some point, secrets: perhaps the keys are exploited by attackers or exposed through leaked source code, for example.
Major Blind Spots in Application Security
With 1 out of every 10 coders uncovered the secret in 2022, it was evident that this issue transcends experience levels and affects developers as a whole.
Confidential management has received increasing attention as more organizations scrutinize their software supply chain processes after a series of high-profile security breaches. Cybersecurity teams have traditionally focused on identifying vulnerabilities rather than disclosing less secure credentials. As a result, many applications running in production environments may have undiscovered secrets management issues.
In a perfect scenario, adopting DevSecOps best practices would address this growing problem. However, with the constant expansion of the code repository, more fundamental errors appear. Recognizing software supply chain vulnerabilities, cybercriminals proactively scan repositories for secrets that could facilitate app breaches.
The problem is likely to worsen as attacks on the software supply chain are expected to increase. As technology advances and code becomes more entwined with our everyday lives, the risks associated with spreading secrets become more urgent.
The intensive focus on securing software supply chains, especially in light of the Biden administration’s National Cybersecurity Strategy, will hopefully encourage more IT organizations to implement end-to-end security measures in their software development lifecycle. As a result, DevOps teams should anticipate increased focus on confidential management from cybersecurity experts.
Embrace Proactive Actions to Reduce the Risk of Disclosure of Secrets
To combat this growing threat, organizations must prioritize protecting their secrets and investing in solutions to detect and address potential vulnerabilities.
The continued growth of the all-as-code paradigm and the commoditization of digital infrastructure and services mean that software, code and secrets will only become more important in their day-to-day business operations.
The risk of disclosure of secrets cannot be completely eliminated, even with a centralized secrets management system. But it can be mitigated by tackling poor secret hygiene practices and implementing a repair playbook.
To measure how much a covert detection and remediation program can bring to your organization, you can use our free Value Calculator to estimate possible costs No dealing with debt guarantees consisting of thousands of hard-coded secrets today.
By learning to deal with these issues and deploying the right tools and resources, companies can significantly reduce the associated risks leaked and exploited secrets.
In conclusion, covert dissemination is a growing threat that requires immediate attention from organizations. With the right tools and strategies, companies can reduce the risks associated with leaked and exploited secrets. It’s time to prioritize confidential management and invest in innovative solutions to ensure our secrets stay safe and secure.
In a world where information is power, it’s time to take action and ensure our secrets are kept safely under lock and key.
