Secrets sprawl: Protecting your critical secrets

Leaked secrets, a phenomenon known as ‘secrets sprawl,’ is a pervasive vulnerability that plagues nearly every organization. It refers to the unintentional exposure of sensitive credentials hardcoded in plaintext within source code, messaging systems, internal documentation, or ticketing systems.

As the undisputed leader in leaked secrets detection, GitGuardian has been meticulously identifying and reporting the prevalence of such secrets on public GitHub for years. Alarmingly, the instances of publicly exposed secrets have quadrupled in a short span, with a staggering 12.8 million occurrences detected on GitHub.com in 2023 alone – a 28% surge from the previous year.

These public leaks are particularly concerning, as they occur on a platform like GitHub, which is constantly monitored by malicious actors. Easily identifiable credentials can be compromised within seconds, while a more subtle leak can lead to customer data compromise years later, as evidenced by the 2022 Toyota breach.

Read the State of Secrets Sprawl 2024

Maintaining control over secrets has become increasingly challenging with the growing complexity of modern software supply chains. In this climate, detecting leaked secrets is merely the first step; organizations must also prioritize and effectively remediate these incidents to enhance their security posture.

What are secrets and why do they matter?

Secrets are confidential pieces of information that grant access to systems, services, or data. They underpin critical security mechanisms like authentication, authorization, and encryption. Examples include database credentials, cloud provider API keys, SaaS access tokens, and cryptographic keys. Leaking these secrets can have devastating consequences.

Attackers can exploit exposed secrets to gain initial access, move laterally within systems, and potentially establish a persistent presence. According to the IBM Cost of a Data Breach Report 2023, it was the predominant avenue for attackers, inflicting an average breach cost of $4.45 million.

Common ways secrets get leaked

Developers often inadvertently leak secrets through practices like:

• Hardcoding secrets in source code repositories,
• Committing secrets to public code repositories (e.g., GitHub),
• Exposing secrets in developer communication channels (e.g., Slack, Jira),
• Leaking secrets in container images or artifacts at build time.

The security gap: Non-revoked secrets

GitGuardian’s research reveals a critical security gap – over 90% of valid, leaked secrets remain active for at least 5 days after the author is notified. Even major service providers like Cloudflare, AWS, OpenAI, and GitHub are affected by non-revoked secrets.

More concerningly, a random sample of 5,000 repositories hosting leaky commits showed that only 28.2% were still accessible, indicating that many repositories were likely deleted or made private after the leak. This suggests that numerous secrets remain valid even after being erased from public view, creating a window for attackers to discover and exploit these “zombie leaks” before revocation.

As Eric Fourrier, CEO and Founder of GitGuardian, states, “Developers erasing leaky commits or repositories instead of revoking are creating a major security risk for companies, which will remain vulnerable to threat actors mirroring public GitHub activity for as long as the credential remains valid. These zombie leaks are the worst.”

This data highlights the crucial necessity of providing comprehensive visibility to security teams throughout the software development lifecycle and beyond, ensuring no leak falls through the cracks.

Introducing GitGuardian Secrets Detection: A comprehensive solution

While tools like SAST, CSPM, secrets managers, and open-source scanners are fundamental, they often fall short in addressing the full scope of secrets security. GitGuardian Secrets Detection is a comprehensive platform designed to help organizations identify, prioritize, and remediate exposed secrets across their software supply chain. Key capabilities include:

• Continuous monitoring of source code repositories, CI/CD pipelines, package registries, container images, and developer communication channels,
• Detection of 350+ types of specific, generic, and custom secret patterns,
• Public leakage detection, notifying if internal secrets have also been exposed publicly,
• Validation of detected secrets’ presence and validity,
• Automated incident triage, assignment, and resolution workflows,
• Collaboration features enabling developers to revoke, rotate, and replace leaked secrets,
• Integration with developer tools for early feedback and prevention,
• Comprehensive reports and security posture analytics.

GitGuardian bridges the gap between security and development teams by providing clear remediation guidance, empowering developers to effectively address leaked secrets – a critical step often overlooked.

What’s more? GitGuardian is unlocking the first-ever end-to-end secrets security program in partnership with CyberArk Conjur Cloud, ensuring secrets remain protected throughout their lifecycle.

Getting started with GitGuardian

The findings from the State of Secrets Sprawl report underscore the urgency for organizations to adopt a proactive approach to secrets’ security. GitGuardian’s dedicated team can guide you through onboarding, deployment strategies, and crafting effective remediation workflows tailored to your environment.

Don’t wait for a breach to occur. Secure your secrets today with GitGuardian’s comprehensive solution. Book a demo to take the first step towards enhancing your security posture and safeguarding your organization’s critical systems and data.