It may come as a surprise, but secrets management has become the elephant in the AppSec space. While security vulnerabilities such as Common Vulnerabilities and Exposures (CVEs) frequently make headlines in the cybersecurity world, secrets management remains an overlooked issue that can have immediate and impactful consequences for enterprise safety.
A recent study by GitGuardian found that 75% of IT decision makers in the US and UK reported at least one secret leak from an application, with 60% causing problems for companies or employees. Surprisingly, less than half of respondents (48%) are confident in their ability to protect “most” app secrets.
Study, named The Voice of the Practitioner: The State of Secrets in AppSec (available for free download Here), provides a new perspective on managing secrets, which is often reduced to clichés that do not reflect operational realities in engineering departments.
Despite their existence in modern clouds and development operations, secrets remain a thorny issue for even the most mature organizations. The doubling of the number of secrets used concurrently in the development cycle makes it all too easy to get out of hand from good security measures and “leaks”.
Protect App Secrets
When a secret is leaked, it is no longer a secret and can be accessed by systems or unauthorized persons for a certain period of time. Leaks mainly occur internally as secrets are copied and pasted into configuration files, source code files, e-mail, messaging applications, and more. Critically, if a developer hardcodes a secret into their code or configuration file and that code is pushed to a GitHub repository, that secret is also pushed. Another worst-case scenario arises when a malicious actor manages to enter leaked credentials internally after initial access, similar to what happened last year uber.
The Voice of Practioners study proves that the dangers of uncovered secrets are recognized by the majority of respondents. Seventy-five percent of respondents said that confidential leaks had occurred in their organization in the past, and 60% admitted it caused serious problems for the company, employees, or both.
When asked about the main risk points in their software supply chain, 58% found “source code and repositories” to be the core risk area, with 53% for “open-source dependencies” and 47% for “hard-coded secrets”.
Nevertheless, the responses indicated a significant gap in maturity. Specifically, less than half of respondents (48%) are confident in their ability to protect app secrets widely:
|From the Voice of the Practitioner: The State of Secrets at AppSec|
In addition, more than a quarter (27%) of respondents admit to relying on manual code review to prevent leaks of secrets, mainly not effective in detecting hard-coded secrets.
Finally, the study also found that 53% of senior management (such as CSOs, CISOs and cybersecurity VPs) believe secrets are shared in clear text via messaging apps.
Despite the challenges, there is still hope for improvement. The study revealed that 94% of respondents plan to improve their confidential practices in the next 12-18 months, which is a positive step towards better management of company secrets and security. However, it should be noted that secret detection and remediation, as well as management of secrets, should take priority in terms of investment over other tools, such as runtime protection tools. While 38% of respondents plan to invest in application runtime protection tools, only 26% and 25% plan to allocate funds for covert detection and repair and secret management, respectively.
Comprehensive Confidential Management Program
More and more secrets are being leaked every year. GitGuardian monitors the number of annual leaks on the number one code-sharing platform, GitHub, and publishes the results in its annual report. State Secret Sprawl Report. Again, the numbers are alarming: from 3 million secrets detected in 2021, the number has jumped 67% to 10 million in 2022. And this is just the tip of the iceberg. Most leaks occur within company boundaries, making it very difficult to estimate global numbers.
To address these growing risks, companies need to strengthen their confidential management as a priority to strengthen their defenses.
In a interview recently with GitGuardian, former Ubisoft CISO Jason Haddix explains how the importance of secrets management became clear after the company was targeted by the Laspsus$ hacker gang in March 2022. After talking to 40 other affected CISOs, he created a four-axis program to develop a comprehensive secrets management program:
- Detection: being able to find all past leaks requires automated tools and is an important step to gain visibility into a company’s true security posture.
- Prevent: save time for the future by preventing leaks as much as possible, with such a secure guardrail pre-commitment hook.
- Respond: the secret leaked because it needed to be shared. Having the tools to store, share and rotate these secrets along with fine-grained access controls is also important.
- Educate: continuing learning sessions on secrets, not only for developers but for all employees, ensuring the risks associated with hard-coding secrets and passwords, as well as best practices, are understood.
The Voice of Practitioners study highlights the importance of a holistic secrecy strategy in AppSec and provides valuable insights into best practices for mitigating the risks associated with discreet deployment. Secret management looks like a debt that builds up over time. If you wait too long, the elephant in the room will eventually become too big to ignore, exposing your organization to the risk of serious consequences.
If you want to upgrade your secrets management program, the simple steps you can take now are request a free audit of leaks of your company secrets on GitHub from GitGuardian. The automated report you will receive will show you the number of active developers on GitHub, the number of secrets found exposed in the GitHub repository over time (categorized), and the percentage of valid secrets between them.
This will help you accurately define your developer perimeter on GitHub, evaluate the order of magnitude of risks your company faces, and take the first step towards a comprehensive confidential management program.