GitGuardian announced the results of its 2023 State of Secrets Sprawl report. The
report is based on GitGuardian's detailed analysis of public GitHub during
2022.
GitGuardian scanned 1.027B new commits in 2022 (+20%
compared to 2021) and found 10,000,000 secrets occurrences (+67%
compared to 2022). What is interesting beyond this ever-increasing number is
that 1 code author out of 10 exposed a secret in 2022.
It is a common myth that junior developers mostly commit
hard-coded secrets, but the reality is that this can happen to any developer,
regardless of their experience or seniority.
Secrets are not just any kind of credentials; they securely
hold together the components of the modern software supply chain, from code to
the cloud. And because of the leverage they provide, they have become hackers'
most sought-after information. However, many breaches that occurred in 2022 pointed
up how inadequate their protection is.
Two recent examples illustrate how secrets can be exploited
in an attack:
- Uber September 15, 2022: an
attacker breached Uber and used hard-coded admin credentials to log into
Thycotic, the firm's Privileged Access Management platform. They pulled a full
account takeover on several internal tools and productivity applications.
- CircleCI December 29, 2022: an attacker
leveraged malware deployed to a CircleCI engineer's laptop to steal a valid,
2FA-backed SSO session. They could then exfiltrate customer data, including
customer environment variables, tokens, and keys.
"Secret
data, including tokens and keys found on open repositories such as GitHub, are
easily re-sold (or in some cases, shared for free) on the darknet and deep web.
There is an extensive amount of sensitive information available for download on
the darknet and deep web, ranging in prices from free to several thousands of
dollars." Mark Turnage, DarkOwl CEO & Co-Founder
More than 80% of all the secrets caught by live monitoring
GitHub are exposed through developers' personal repositories, and a large share
of them are, in fact, corporate secrets. Multiple hypotheses can explain why
this happens. Of course, malicious behaviors cannot be discarded, including
hijacking corporate resources and other shady motives. But the sheer scale of
the phenomenon hints at something else: most of this happens because error is
human and misconfiguring Git is easy.
"If a colleague in security said to me that secrets
detection is not a priority, I would say that's a mistake. Most of the big
security problems come from either social engineering attacks or credential
stuffing. So, it's really important to know that your engineers and your
employees are going to leak secrets. That's life. Most of the time, it's due to
mistakes. But if it happens, we need to act on it. The more engineers there
are, the more there is potential for leaks to happen." Theo Cusnir - Application Security Engineer at PayFit
We should not forget that private source code can end up in
the public space by error or because it was stolen. The recent Samsung, Nvidia, Microsoft, and Dropbox code leaks are good examples.
Like many other security challenges, poor secrets hygiene
involves the usual trifecta of people, processes, and tools. Organizations
serious about taming secrets sprawl must work simultaneously on all these
fronts.
"Our mission is to secure code and the SDLC.
We want to do it with a transparent, simple and pragmatic approach starting
first with one of the most important issue in appsec: secrets in code".
Eric
Fourrier, CEO
Download the State of Secrets Sprawl 2023 report here.