Enterprise Wake-Up Call: Your AppSec Team Can’t Handle Secrets Sprawl Alone, Development Teams Need to be Involved — GitGuardian Report Shows 3.4K Occurrences of Secrets per AppSec Engineer in 2021.
The challenge of secrets sprawling within corporate repositories must be addressed with the right toolset and plan.
PARIS, March 02, 2022 (GLOBE NEWSWIRE) -- GitGuardian, today announced the results of its 2022 State of Secrets Sprawl report. Leveraging the company's unique position as the world's leading secret detection platform*, the report extends its previous edition focused on public GitHub by depicting a realistic view of the state of secrets sprawl in corporate codebases.
The data reveals that on average, in 2021, a typical company with 400 developers would discover 1,050 unique secrets leaked upon scanning its repositories and commits. With each secret actually detected in 13 different places, the amount of work required for remediation far exceeds current AppSec teams’ capabilities (1 AppSec engineer for 100 developers)1.
When compared to open-source corporate repositories, private ones are also four times more likely to expose a secret, comforting the idea that they permeate a false sense of secrecy threatening security postures.
The historical volume of secrets-in-code, coupled with their constant growth, jeopardizes the remediation capacity of security teams, primarily application security engineers. This, in turn, puts the whole transition process to DevSecOps at risk. Therefore, an action plan is necessary to resolve this situation as soon as possible.
The report also highlights that the secrets sprawl phenomenon is mostly still in its infancy. First, improving on its prior results, GitGuardian Public GitHub monitoring reported doubling the number of secrets leaked, reaching just over 6M in 2021. On average, 3 commits out of 1,000 exposed at least one secret, +50% compared to 2020.
Second, an in-depth study conducted on another popular open-source platform, Docker Hub, finds that 4,6% of publicly available images expose at least one secret. As the number of building blocks making up an application is increasing (cloud infrastructure, managed databases, SaaS applications, open-source components, internal microservices, etc.), it should come as no surprise that secrets will be sprawling in ever more places in the future.
Recommendations
To prevent codebases from becoming hackers’ playgrounds without overwhelming security teams, the focus needs to shift to collaborative prevention.
Secrets leaking in source code is unavoidable, but like other vulnerabilities, it is completely determined by endogen factors: more developers, requiring access to more resources, building and deploying at a faster rate. It means that with enough discipline and education, coupled with the right tools, it is possible to drastically improve the situation, just like any technical debt.
Incidents detection and remediation can be shifted left at various levels to build a layered defense all across the development cycle. Here is a progressive approach to move forwards to a “zero secrets-in-code” policy:
- Start by monitoring commits and merge/pull requests in real-time for all your repositories with native VCS or CI integration, where the ultimate threat lies (shift left at team level).
- Progressively enable pre-receive checks to harden central repositories against leaks, and “stop the bleeding”.
- In the meantime, educate about using pre-commit scanning as a seatbelt (shift left at developer level).
- Plan a longer-term strategy to handle older incidents discovered by the git history scanning.
- Implement a Secrets Security Champion program.
By integrating vulnerability scanning into the development workflow, security isn’t a bottleneck anymore. You can help developers catch vulnerabilities at the earliest stage and considerably limit remediation costs. This is even more true for secrets detection, which is very sensitive to sprawling (as soon as a secret enters a version control system, it should be considered compromised and requires remediation effort). You can thus reduce the number of secrets entering your VCS by better-educating developers while preserving their workflow.
Download the State of Secrets Sprawl 2022 report here.
A webinar presenting the report will be held on March 2nd 11 AM EDT
Quotes
Quote from Abbas Haidar, Head of InfoSec
“Secrets detection is a very essential part of security. It's one of the basics that you need to cover all the time. Otherwise, you're going to expose your endpoints online and you're going to suffer endless attacks. When it comes to application development, secrets detection is essential to a security program. You need to have it. Otherwise, you'll fail.”
Quote from Don, Security Engineer
“Source code is a huge wealth of knowledge. It also happens to exist on pretty much every developer's workstation, which they probably take home with them. You probably don't want your secrets being all over the country.”
*Secret: In the context of software development, secrets generally refer to digital authentication credentials that grant access to systems or data. These are most commonly API keys, usernames and passwords, or security certificates.
Additional resources
GitGuardian - Website
GitGuardian Internal Monitoring - GitHub Market place
About GitGuardian
The new ways of building software create the necessity to support new vulnerabilities and new remediation workflows. These needs have emerged so abruptly that they have given rise to a young and highly fragmented DevSecOps tooling market. Solutions are specialized based on the type of vulnerabilities being addressed: SAST, DAST, IAST, RASP, SCA, Secrets Detection, Container Security, and Infrastructure as Code Security. However, the market is fragmented and tools are not well-integrated into the developers’ workflow.
GitGuardian, founded in 2017 by Jérémy Thomas and Eric Fourrier, has emerged as the leader in secrets detection and is now focused on providing a holistic code security platform while enabling the Shared Responsibility Model of AppSec. The company has raised a $56M total investment to date.
With more than 150K installs, GitGuardian is the n°1 security application on the GitHub Marketplace. Its enterprise-grade features truly enable AppSec and Development teams in a collaborative manner to deliver a secret-free code. Its detection engine is based on 350 detectors able to catch secrets in both public and private repositories and containers at every step of the CI/CD pipeline.
Methodology
Secrets detection engine
GitGuardian’s secrets detection engine has been analyzing billions of commits in production since 2017. From day one we began to train and benchmark our algorithms against the open-source code. It allowed GitGuardian to build a language-agnostic secrets detection engine, integrating new secrets or new ways of declaring secrets really fast while keeping a really low number of false positives. We have developed the vastest library of specific detectors being able to detect more than 350 different types of secrets2. Learn more about the inner workings and performance benchmarking of our detection engine in our blog.
Media Contact
Holly Hagerman
Connect Marketing
(801) 373-7888
hollyh@connectmarketing.com
1 From TAG Cyber
2 You can find the exhaustive list here
A photo accompanying this announcement is available at:
https://prdesk.globenewswire.com/ResourceLibrary/ResourceLibrary/GetDynamicThumbnailContentContent/?resourceId=a610113e-965d-4ee7-9f5d-9ba372428f73&maxHeight=280&maxWidth=280
