The most valuable assets in today’s information age are well-kept secrets. Unfortunately, as highlighted in his 2023 State of Secrets Sprawl report, the largest analysis of public activity on GitHub, keeping secrets is becoming increasingly difficult.
The report shows: 67% increase YoY In 2022 alone, 10 million hard-coded secrets were discovered in Discovered Secrets.Highlights of this amazing secret surge need for action And it emphasizes the importance of secure software development.
Secret sprawl refers to secrets that appear in plaintext in various sources, such as source code, build scripts, infrastructure as code, and logs. Secrets such as API tokens and private keys securely connect components of modern software supply chains, but their widespread distribution can lead to information leakage between developers, machines, applications, and infrastructure systems. higher.
Cybersecurity incident highlights the dangers of hardcoded secrets
Two high-profile cybersecurity incidents involving Uber and Toyota have highlighted the urgent need to address the issue of confidential proliferation and prioritize code security. As awareness of this issue grows, it is imperative that businesses prioritize protecting confidentiality and invest in innovative solutions to detect and remediate potential threats.
Uber was hit with an attack in which an attacker used admin credentials hardcoded within a PowerShell script to access critical systems. In contrast, Toyota accidentally disclosed credentials that allowed access to customer data in public GitHub repositories for about five years. Both incidents serve as stark reminders of the risks involved in spreading secrets. Additionally, as the report points out, most security incidents involve a secret at some point. For example, the key could be used by an attacker or exposed through leaked source code.
A Big Blind Spot in Application Security
and 1 in 10 coders With the secrets exposed in 2022, it’s clear that this problem has crossed the experience level and plagues developers at large.
As more organizations scrutinize their software supply chain processes in the wake of a series of high-profile security breaches, the focus on security controls is on the rise. Cybersecurity teams have historically focused more on identifying vulnerabilities than on revealing insecure credentials. As a result, undiscovered secrets management issues can exist in myriad applications running in production.
In a perfect scenario, adopting DevSecOps best practices can address this growing problem. However, as code repositories continue to grow, more basic errors begin to occur. Software Supply Realizing vulnerabilities in her chain, cybercriminals actively scan repositories to find secrets that could facilitate application compromise.
The problem is likely to get worse as attacks against software supply chains are expected to escalate. As technology advances and code becomes more closely related to our daily lives, the risks associated with spreading secrets become more pressing.
Increased focus on securing the software supply chain has led more IT organizations to adopt end-to-end security measures within the software development lifecycle, especially given the Biden Administration’s National Cybersecurity Strategy. It is expected that As a result, DevOps teams should expect increased focus on confidentiality management by cybersecurity professionals.
Employs proactive measures to reduce secret sprawl risk
To combat this growing threat, organizations must prioritize protecting confidentiality and invest in solutions to detect and address potential vulnerabilities.
The continued growth of the Everything-as-Code paradigm and the commoditization of digital infrastructure and services mean that software, code and sensitive information will become increasingly important to daily business operations.
The risk of secret disclosure cannot be completely eliminated even with a centralized secret management system. However, addressing inadequate confidential hygiene practices and implementing remediation handbooks can mitigate this problem..
To gauge the impact of your confidential detection and remediation program on your organization, you can use our free value calculator to estimate your expected costs. no Today we are dealing with security debt consisting of thousands of hard-coded secrets.
By learning how to deal with this problem and having the right tools and resources in place, businesses can greatly reduce the risks associated with exposure and misuse of confidential information.
In conclusion, the spread of secrets is a growing threat and organizations must act now.. With the right tools and strategies in place, businesses can mitigate the risks associated with confidential disclosure and misuse. It’s time to prioritize secret management and invest in innovative solutions to keep your secrets safe.
In a world where information is power, now is the time to act and ensure secrets are kept safe.
