It might come as a surprise, but secrets management has become the elephant in the AppSec room. While security breaches like Common Vulnerabilities and Exposures (CVEs) often grab the headlines in cybersecurity, secrets management remains an overlooked issue that can have immediate and impactful consequences for enterprise security.
A recent study by The Guardian found that 75% of IT decision-makers in the US and UK reported at least one secret leaked from an application, and 60% of them caused problems for the company or employees. Shockingly, less than half of respondents (48%) are confident in their ability to keep apps secret "to a large extent."
The study, "Practitioner Voices: The State of AppSec Confidentiality," provides a fresh perspective on managing secrecy, which is often reduced to platitudes that don't reflect the operational realities of engineering departments.
Despite the ubiquity of secrecy in modern cloud and development operations, secrecy remains a thorny issue for even the most mature organizations. The multiplication of the number of secrets being used concurrently during the development cycle makes it easy to lose control and "leak" a solid security measure.
Protect App Secrets
When a secret is leaked, it ceases to be a secret and can be accessed by unauthorized systems or persons for a period of time. Leaks mostly occur internally, as secrets are copied and pasted into configuration files, source code files, emails, messaging apps, and more. Crucially, if a developer hardcodes secrets into their code or configuration files and pushes the code to a GitHub repository, those secrets are also pushed. In another worst-case scenario, malicious actors manage to obtain internally leaked credentials after first access, similar to what happened to Uber last year.
Evidence from the Voice of Practitioners study shows that the vast majority of respondents acknowledge the dangers of confidentiality being compromised. Seventy-five percent of respondents said their organization had had a breach of confidentiality in the past, and 60 percent admitted it had caused serious problems for the company, employees, or both.
When asked about key risk points in the software supply chain, 58 percent identified "source code and repositories" as a core risk area, 53 percent identified "open source dependencies," and 47 percent identified "hardware." Encoding Confidential".
However, these responses indicate significant gaps in maturity. Specifically, less than half of respondents (48%) are confident in their ability to keep their apps secret to a large extent:
Additionally, more than a quarter (27%) of respondents admitted to relying on manual code reviews to prevent leaks of secrets, which is notably ineffective at detecting hard-coded secrets.
Finally, the study also found that 53 percent of senior executives (such as CIOs, CISOs, and VPs of cybersecurity) believe that secrets are shared in clear text via messaging apps.
Despite the challenges, there is hope for improvement. In a positive step towards better privacy management and enterprise security, the research revealed that 94% of respondents plan to increase privacy measures in the next 12-18 months. However, it is worth noting that secrets detection and repair and secrets management should be prioritized in terms of investment compared to other tools such as runtime protection tools. While 38 percent of respondents plan to invest in runtime application protection tools, only 26 percent and 25 percent plan to allocate funds to secrets detection and remediation and secrets management, respectively.
A Comprehensive Secret Management Program
Every year more and more secrets are revealed. GitHub, the world's largest code-sharing platform, monitors the number of code leaks every year and publishes the results in its annual "State Secrets Spread Report". The numbers are once again alarming: from 3 million secrets discovered in 2021, the number has increased by 67% to 10 million in 2022. And that's just the tip of the iceberg. Most breaches have occurred within companies, making estimating global figures very difficult.
To address this growing risk, companies need to prioritize strengthening their confidentiality management to strengthen their defenses.
In a recent interview with The Guardian, former Ubisoft chief information security officer Jason Haddix described the importance of confidentiality management after the company was hacked by the Laspsus$ hacking gang in March 2022. How to become obvious. After speaking with 40 other affected CISOs, he proposed a four-axis plan to develop a comprehensive confidentiality management plan:
- Detection : Being able to find all past breaches requires an automated tool, which is a critical step in understanding the actual security posture of a company.
- Prevention : Prevent as many leaks as possible and save time in the future by using safety rails like pre-commit hooks.
- Response : Secrets are revealed because they need to be shared. It is also critical to have tools to store, share, and rotate these secrets, along with fine-grained access controls.
- Education : Ongoing education on secrets, not just for developers but for all employees, ensures awareness of the risks associated with hardcoding secrets and passwords, as well as best practices.
in conclusion
Practitioner's Voice research highlights the importance of AppSec's overall secrecy strategy and provides valuable best-practice insights for mitigating the risks associated with secrecy creep. Secret management can look like a debt that grows over time. If you wait too long, the elephant in the room can eventually become too large to ignore, putting your organization at risk of serious consequences.
If you want to improve your secrets management program, one easy step you can take right now is to request a free audit of your company's secrets breaches by GitHub on GitHub. The automated report you will receive will show you the number of active developers on GitHub, the number (categorization) of exposed secrets found on GitHub repositories, and the percentage of active secrets within them.
This will help you accurately scope your developers on GitHub, assess the magnitude of risk your company faces, and take the first step toward a comprehensive secrets management plan.
Disclaimer: The relevant information in this article comes from Thehackernews, the copyright belongs to the author, and the purpose of reprinting is to convey more information. If there is any infringement, please contact this site to delete.