Do you know where your secret is? If not, I can tell you: you are not alone.
Hundreds of CISOs, CSOs, and security leaders from large and small companies know neither. Regardless of your organization’s size, qualifications, tools, people, or processes, 99% of the time sensitive information will never be seen.
It may sound silly at first. Confidentiality is an obvious first thought when thinking about security in the development lifecycle. Whether in the cloud or on-premises, we know that secrets are safely stored behind hard gates that most people cannot access. This is more than just a matter of common sense, it is also a mandatory compliance requirement for security audits and certifications.
Developers working in organizations are well aware that secrets must be handled with special care. They have put in place specific tools and procedures to correctly create, communicate and rotate human or machine credentials.
Still, do you know where your secret is?
Secrets spread all over the system and spread faster than most people realize. Secrets are copied and pasted into configuration files, scripts, source code, or private messages without much thought. please think about it. A developer hardcodes an API key to quickly test a program and accidentally commits and pushes work to her remote repository. Are you confident that you can detect incidents in a timely manner?
Poor auditing and remediation capabilities are part of the reason secrets are difficult to manage. They are also the least addressed by security frameworks. But these gray areas where invisible vulnerabilities are hidden for long periods of time are blatant holes in the defensive layers.
Recognizing this gap, we have developed a self-assessment tool to assess the size of this unknown.to take your inventory genuine article You will have five minutes (completely anonymous) to answer eight questions about your organization’s security posture for sensitive information.
So how much are you? No do you know your secret?
Secret management maturity model
Sound secrets management is an important defensive tactic to consider in building a comprehensive security posture. We have built a framework (white paper here) to help security her leaders understand their posture in practice and adopt more mature enterprise her secrets management practices in her three phases. bottom.
- Evaluation of confidentiality leakage risk
- Establishing a modern secrets management workflow
- Create a roadmap to improve vulnerable areas
The fundamental point this model addresses is that secret management goes far beyond how an organization stores and distributes secrets. Not only does this eliminate the need to coordinate people, tools and processes, it is also a program that accounts for human error.the error is No Unavoidable! Those results are: As such, detection and remediation tools and policies, as well as secret storage and distribution, form the pillars of the maturity model.
The secrets management maturity model considers four attack surfaces of the DevOps lifecycle.
- Developer environment
- Source code repository
- CI/CD pipeline and artifacts
- runtime environment
We then created a maturity ramp-up with five levels, from 0 (novice) to 4 (expert). Going from 0 to 1 is largely about assessing the risks posed by insecure software development practices and starting to audit your digital assets for hard-coded credentials. At an intermediate level (Level 2), secret scanning becomes more systematic and secrets are carefully shared across his DevOps lifecycle. Levels 3 (Advanced) and 4 (Expert) focus on risk reduction through clearer policies, better controls, and increased shared responsibility for remediating incidents.
Another important consideration for this framework is that making secrets difficult to use in a DevOps context inevitably leads to bypassing layers of protection in place. As with everything else in security, the answer lies between protection and flexibility. This is why using the vault/secret manager only starts from the intermediate level. The idea is that using Secret Manager should be viewed as an additional layer of defense rather than as a standalone solution. To be effective, other processes, such as continuous scanning of pull requests, must be mature enough.
Here are some questions that this model should ask to help assess maturity: How often are secrets rotated in production? How easy is it to rotate secrets? How are secrets distributed during the development, integration, and production phases? Credentials on local machines What measures are in place to prevent insecure distribution of credentials? Do CI/CD pipeline credentials follow the principle of least privilege? What steps are in place to prepare?
Overhauling the secrets management regime should be a top priority in 2023. First, everyone who works with source code has to deal with secrets at least occasionally, if not every day. Secrets are no longer the prerogative of security or her DevOps engineers. They are needed by an increasing number of people, including ML engineers, data scientists, products, and operations. Second, if you don’t know where your secrets are, hackers will find them.
hackers find your secret
The risks posed to organizations that fail to adopt mature confidentiality management practices cannot be overstated. Development environments, source code repositories, and CI/CD pipelines are easy targets for hackers. For hackers, the secret is the gateway to lateral movement and compromise.
Recent examples highlight the vulnerability of confidentiality controls in even the most technologically mature organizations.
In September 2022, attackers accessed Uber’s internal network and found administrator credentials hardcoded on a network drive. The secret was used to log into Uber’s privileged access management platform. There, even more plaintext credentials were stored in files and throughout scripts. The attackers were then able to take over her AWS, GCP, Google Drive, Slack, SentinelOne, HackerOne, and other admin accounts.
In August of the same year, the password manager LastPass fell victim to an attacker who had stolen the credentials of a software developer and was able to impersonate the individual and gain access to the development environment. In late December, the company revealed that someone had used the information to steal source code and customer data.
In fact, in 2022, source code leaks have proven to be a veritable minefield for organizations. NVIDIA, Samsung, Microsoft, Dropbox, Okta, Slack and others have been victims of source code leaks. In May, we warned that analyzing these codebases could potentially harvest a large amount of credentials. Armed with these, attackers can influence and pivot hundreds of dependent systems, known as supply-hi chain attacks.
Finally, and more recently, in January 2023, continuous integration provider CircleCI was also compromised, compromising hundreds of customer environment variables, tokens, and keys. The company urged customers to change passwords, SSH keys, or other secrets stored or managed on the platform immediately. Still, victims need to know where these secrets are and how they’re being used to hit the emergency button!
This was a strong case for preparing contingency plans.
The lesson from all these incidents is that attackers have realized that compromising machine or human identities offers a higher return on investment. These are all signs of the urgency to deal with hardcoded credentials and wipe out common secret controls.
The last word
In cybersecurity, there is a saying, “Encryption is easy, but key management is hard.” This is still true today, but not just for encryption keys. Our world of hyperconnected services relies on hundreds of different keys or secrets to function properly. These can be many potential attack vectors if mismanaged.
Knowing where secrets are in practice as well as in theory and how they are used along the software development chain is critical to security. To help our customers, we have created maturity models specifically for secret distribution, leak detection, remediation processes, and rotation habits.
The first step is always a clear audit of your organization’s security posture regarding sensitive information. Where and how is sensitive information used? Where do they leak? How do you prepare for the worst? This alone can be a lifesaver in an emergency. Find out where you are with our surveys and learn how to go from there with our white papers.
Given the recent attacks on development environments and business tools, companies that want to effectively defend themselves need to clear the gray areas of their development cycle as soon as possible.
