Image: Scott Graham (unsplash)
Unbelievably, secrets management is turning into an unaddressed issue within the AppSec environment. While security vulnerabilities like Common Vulnerabilities and Exposures (CVEs) often garner the spotlight in the cybersecurity field, secrets management is a neglected area that could bring about swift and significant risks to corporate security.
GitGuardian’s recent research discovered that 75% of IT decision-makers across the US and the UK confirmed experiencing at least a single secret exposure from an application, with 60% resulting in complications for the company or employees. Astonishingly, less than half of the participating individuals (48%) expressed substantial confidence in their capacity to safeguard application secrets.
The report, titled Voice of Practitioners: The State of Secrets in AppSec (freely downloadable here), offers a novel outlook on secrets management, an aspect often oversimplified into unreflective clichés that misrepresent the actual conditions in engineering departments.
Despite their prevalence in contemporary cloud and development operations, secrets continue to pose a challenge even for the most advanced organizations. The surge in the quantity of secrets concurrently in use throughout the development cycle amplifies the risk of losing grip on robust security measures and unintentional “leaks.”
Safeguarding Application Secrets
When a secret gets exposed, it loses its confidentiality and becomes accessible to unauthorized systems or individuals for a particular period. These exposures primarily take place internally when secrets are duplicated and pasted into configuration files, source code files, emails, messaging apps, among other mediums. Importantly, if a developer embeds secrets into their code or configuration files and pushes the code to a GitHub repository, the secrets follow suit. An alarming scenario emerges when a malicious actor gains control over internally exposed credentials after initial access, a situation paralleling last year’s incident involving Uber.
The Voice of Practioners report substantiates that the hazard of divulged secrets is recognized by the overwhelming majority of participants. Three-quarters of them admitted to a secret exposure incident in their organization in the past, and 60% conceded that it triggered serious problems for the company, its employees, or both.
On inquiring about the primary risk points in their software supply chains, 58% identified “source code and repositories” as the central risk area, followed by 53% for “open source dependencies” and 47% for “hard-coded secrets.”
Yet, the responses demonstrate a significant maturity discrepancy. Specifically, fewer than half of the participants (48%) show confidence in their ability to substantially protect application secrets.
Furthermore, over a quarter (27%) of participants confessed their reliance on manual code reviews to avert secret leaks, an approach notably deficient in detecting hard-coded secrets.
Interestingly, the research also determined that 53% of senior management (such as CSOs, CISOs, and VPs of cybersecurity) think that secrets are openly shared through messaging apps.
Despite these hurdles, the prospects for enhancement remain optimistic. The research showed that an impressive 94% of participants plan to improve their secrets practices over the upcoming 12-18 months, representing a promising move towards improved secrets management and corporate security. However, it should be highlighted that secrets detection and remediation, along with secrets management, ought to be prioritized in terms of investment compared to other tools like runtime protection tools. While 38% of participants aim to invest in runtime application protection tools, only 26% and 25%, respectively, plan to allocate resources for secrets detection and remediation and secrets management.