In recent years, an alarming number of secrets have leaked out in developer’s code. Secrets include any kind of sensitive data such as passwords, API keys, encryption keys and certificates. According to a GitGuardian report, an organization with 400 developers will leave behind 1.050 unguarded secrets in their code. These statistics are alarming, but not without remediation. There are several steps you can take to ensure your keys, passwords and all secrets securing your data remain safe and out of harm’s way.
Secrets leaked in development
A secret can be defined as any source of digital identification that permits access to a service, a system or to data. Secrets are being leaked at the development level. For example, when source code from gaming site Twitch was exposed, it compromised over 6,000 Git repositories, nearly 7,000 development secrets and millions of documents. In their study, GitHub found that the number of commits to GitHub that leaked sensitive information were 50% higher than last year, or three in every thousand. And the problem is getting worse.
What is the problem?
There are several reasons why so much sensitive information is being leaked in the development stage.
- More code is being pushed to repositories. Due to the ongoing digital transformation and the proliferating growth of hybrid work culture, an increasing amount of code is being pushed to repositories. This leads to a statistically higher error rate.
- AppSec is overwhelmed. Each application engineer has an average of 3,400 leaked secrets to address, reports Mackenzie Jackson, a developer advocate at GitGuardian. "It is really an impossible task—they are totally overwhelmed by the problem," he says.
- Secret sprawl is proliferating. Once code is pushed out from your private repository, it will be copied into your developer environments, including professional and personal machines. Jackson says that "It is easy to lose track of every place the code goes."
- Private vs. Public repositories. There is an overlap between the information found in public and private repositories, largely due to a single account for both on GitHub. Developers often use the same account for both purposes, and consequently, company secrets often are found in private repositories. Additionally, private projects do not tend to garner the same security respect, and a high percentage of secret leaks are found in the code made on off hours (holidays and weekends).
Keeping secrets safe
To combat developer slip ups in protecting digital keys, certificates, passwords and other sensitive information, several best practices can be implemented.
- Combine AppSec and Developers. Integrating AppSec at the development level is key to reducing the number of secrets shared. GitGuardian advocates for a shared responsibility model, including development teams by making them aware of security controls and requirements earlier in the process. The report states that developer involvement accounts for closing over 70% more incidents than AppSec alone, and double incident remediation speeds. "To solve [the problem of secrets leak], we have to introduce some shared responsibility to developers, we need to empower developers with tools, and we need to have education,” explains Jackson.
- Protect your keys during development. Venafi integrates with well-known development tools to automatically install encryption keys and certificates during the development phase. Working with DevOps allows you to produce secure code quickly.
- Secure the secret lifecycle. Venafi also allows you to discover all machine identities in your environment, because you cannot defend what you cannot see. Working with Palo Alto Networks, they provide a comprehensive assessment of all keys and certificates throughout your infrastructure.
- Code Signing is valuable, as it ensures no code has been altered after completion by developers. This does not prevent the problem of latent secrets being exposed before it is signed, which is why it is important to involve both developers and App Sec in the process and perform inventory scans and assessments. However, it does encourage developers to examine the process with a fine-tooth comb and provides a check to secret sprawl.
To prevent secret leak at the development phase, companies must maintain a good inventory of the secrets they host in their environment. Gaining full visibility into network architecture is key to discovering and defending these keys and certificates and involving developers in the security process is necessary to changing the culture that is responsible for so much inadvertent compromise. By combining improved collaboration with the right security tools, companies can ensure they are not releasing code with unintended information, and on the other side, defending all the sensitive data points they are responsible for.