Solving the problem of secrets sprawling in corporate codebases

GitGuardian announced the results of its report which extends its previous edition focused on public GitHub by depicting a realistic view of the state of secrets sprawl in corporate codebases.

state of secrets sprawl

The data reveals that on average, in 2021, a typical company with 400 developers would discover 1,050 unique secrets leaked upon scanning its repositories and commits. With each secret actually detected in 13 different places, the amount of work required for remediation far exceeds current AppSec teams’ capabilities (1 AppSec engineer for 100 developers).

When compared to open-source corporate repositories, private ones are also four times more likely to expose a secret, comforting the idea that they permeate a false sense of secrecy threatening security postures.

The historical volume of secrets-in-code, coupled with their constant growth, jeopardizes the remediation capacity of security teams, primarily application security engineers. This, in turn, puts the whole transition process to DevSecOps at risk. Therefore, an action plan is necessary to resolve this situation as soon as possible.

The report also highlights that the secrets sprawl phenomenon is mostly still in its infancy. First, improving on its prior results, public GitHub monitoring reported doubling the number of secrets leaked, reaching just over 6M in 2021. On average, 3 commits out of 1,000 exposed at least one secret, +50% compared to 2020.

Second, an in-depth study conducted on another popular open-source platform, Docker Hub, finds that 4,6% of publicly available images expose at least one secret. As the number of building blocks making up an application is increasing (cloud infrastructure, managed databases, SaaS applications, open-source components, internal microservices, etc.), it should come as no surprise that secrets will be sprawling in ever more places in the future.

Recommendations for preventing secrets sprawl

To prevent codebases from becoming hackers’ playgrounds without overwhelming security teams, the focus needs to shift to collaborative prevention.

Secrets leaking in source code is unavoidable, but like other vulnerabilities, it is completely determined by endogen factors: more developers, requiring access to more resources, building and deploying at a faster rate. It means that with enough discipline and education, coupled with the right tools, it is possible to drastically improve the situation, just like any technical debt.

Incidents detection and remediation can be shifted left at various levels to build a layered defense all across the development cycle. Here is a progressive approach to move forwards to a “zero secrets-in-code” policy:

  • Start by monitoring commits and merge/pull requests in real-time for all your repositories with native VCS or CI integration, where the ultimate threat lies (shift left at team level).
  • Progressively enable pre-receive checks to harden central repositories against leaks, and “stop the bleeding”.
  • In the meantime, educate about using pre-commit scanning as a seatbelt (shift left at developer level).
  • Plan a longer-term strategy to handle older incidents discovered by the git history scanning.
  • Implement a Secrets Security Champion program.

By integrating vulnerability scanning into the development workflow, security isn’t a bottleneck anymore. You can help developers catch vulnerabilities at the earliest stage and considerably limit remediation costs. This is even more true for secrets detection, which is very sensitive to sprawling (as soon as a secret enters a version control system, it should be considered compromised and requires remediation effort). You can thus reduce the number of secrets entering your VCS by better-educating developers while preserving their workflow.

Abbas Haidar, Security Operations Manager at WorldFirst, said: “Secrets detection is a very essential part of security. It’s one of the basics that you need to cover all the time. Otherwise, you’re going to expose your endpoints online and you’re going to suffer endless attacks. When it comes to application development, secrets detection is essential to a security program. You need to have it. Otherwise, you’ll fail.”

Share this