According to a recent report by GitGuardian, every single day more than 5,000 development secrets - private keys, database connection strings, certificates, and passwords – are leaked in GitHub repositories threatening the security of applications and sensitive data.
Git repositories are skyrocketing
GitHub is the place for software developers to showcase their work and contribute to millions of projects that form the building blocks modern software development is built upon. GitHub has named this universe as “octoverse” and according to a recent report, this amazing “octoverse” gathers more than 50 million developers working on their personal or professional projects.
Development activity on GitHub has skyrocketed during 2020, with the number of repositories increasing by 35% and the average active user contributing 25% more to open source projects, according to the GitHub "State of the Octoverse" report.
"Open source is the connective tissue for much of the information economy," states GitHub. "You would be hard-pressed to find a scenario where your data does not pass through at least one open source component. Many of the services and technology we all rely on, from banking to healthcare, also rely on open source software."
“Secrets sprawl” is a real threat
With such a vast resource of data publicly available, there is also a huge number of sensitive data that is unknowingly or accidentally pushed to the platform. This data is secrets like API keys, credentials, and other digital authentication strings. The threat is that these secrets can be used by attackers to gain access to infrastructure, systems and PII. A public repository is the worst place for a secret to end up because code is so widely distributed through GitHub and git keeps a complete record of a repository's history.
The problem is much worse than many may anticipate. According to the “State of Secrets Sprawl on GitHub” report by GitGuardian, more than 5,000 passwords, private keys, and other development "secrets" are leaked every day when programmers push code to online repositories — a year-over-year increase of 20%. Leaked secrets make the software and the developer's infrastructure more susceptible to attacks.
"Cybersecurity is largely about human mistakes," says Jeremy Thomas, CEO of GitGuardian. "This is still a rare event that we are preventing but a serious one, and developers have to assume that they are going to make mistakes."
In addition, GitGuardian highlights that developers often use the same account for personal and corporate developments. 85% of leaked secrets occur in the developers’ personal repositories, while 15% affected the public repositories owned by businesses.
"Secrets present in all these repositories can be either personal or corporate and this is where the risk lies for organizations as some of their corporate secrets are exposed publicly through their current or former developers’ personal repositories," states the GitGuardian report.
The most common types of secrets leaked in public repositories include Google keys, which accounted for 28% of leaked secrets, development tools at 16%, and databases and data storage keys at 15%. Leaked secrets were discovered in a wide array of file extensions, which can be grouped into three main categories:
- Data serialization files: JSON, XML, YAML, .properties
- Forbidden or sensitive files: .env, .pem
Reasons for leaked secrets
Besides using the same account for accessing personal and corporate repositories, the report indicates that secrets are leaked mostly because of unintentional, not malevolent, mistakes, including:
- Git misconfiguration and pushing wrong data.
- Forgetting that the entire git history is still publicly visible even if sensitive data has since been deleted from the actual version of source code.
A common mistake made by many software developers is that they keep keys and passwords for various resources in an insecure location to make it easier to change the code. However, doing so often results in the information mistakenly being published. Cybercriminals and nation-state actors often scan GitHub and other repositories to find mistakenly leaked information.
"Keeping secrets encrypted and tightly wrapped makes it harder for developers to both access and distribute them," GitGuardian states in the report. "This can lead developers to choose the path of least resistance when handling them which may include hardcoding them into source code, distributing them through email or messaging systems like Slack, saving them directly into config files and storing them inside internal wikis."
What can be done?
With the expansion of git repositories and the complexity of open source software supply chains, it is become quite difficult to totally avoid the risks of secrets exposure. However, there are certain best practices that businesses can follow to limit the risk of secrets exposure or the impact of a leaked credential:
- Never store unencrypted secrets in .git repositories.
- Don’t share your secrets unencrypted in messaging systems like Slack.
- Store secrets safely.
- Restrict API access and permissions.
Venafi’s CodeSign Protect secures your code signing private keys, automates approval workflows, and maintains an irrefutable record of all code signing activities. Reach out to Venafi’s experts to learn how you can secure your software development lifecycle.
- 7 Data Breaches Caused by Human Error: Did Encryption Play a Role?
- How Advanced Persistent Threats Misuse Machine Identities
- The 5 Worst Things Attacks Can Do in Your Encrypted Tunnels