‘Secrets Sprawl’ Haunts Software Supply Chain Security


A cybersecurity startup is warning of a major, unattended weak link in the software supply chain: the vexing problem of valuable corporate secrets — API keys, usernames and passwords, and security certificates — publicly exposed in corporate repositories.

The compromise of leaked secrets has been at the center of multiple supply-chain security compromises but, according to new data from GitGuardian, secrets sprawl exists everywhere and is growing at alarming rates.

In a new report documenting its work looking for leaked corporate secrets, GitGuardian found that a typical company with 400 developers would discover about 1,050 unique secrets leaking throughout its repositories and commits. 

Even worse, at current security-to-developer staffing levels, the company argues “there’s simply no way to manage the explosion of digital authentication credentials left exposed in modern code.”

[ READ: Thousands of Secret Keys Found in Leaked Samsung Source Code ]

“With each secret detected in 13 different places on average, the amount of work required for remediation far exceeds current AppSec capabilities: with a security-to-developers ratio of 1:100*, 1 AppSec engineer needs to handle 3,413 secrets occurrences on average,” GitGuardian said.

The Paris, France-based startup, which raised $44 million in venture capital investment to work on solving the secrets sprawl problem, said this is an ongoing “nightmare” for security engineers.

“Credentials are a nightmare for security engineers because they can end up in so many places: build, monitoring, or runtime logs, stack traces, and … git history. Our data show the extent of publicly exposed secrets on GitHub has more than doubled since 2020,” GitGuardian said.

After running scans in 2021, the company found more than 6 million secrets exposed, including IAM credentials across all major public cloud infrastructure.  “On average, 3 commits out of 1,000 exposed at least one secret, a 50% increase compared to 2020.”

[ READ: Codecov Bash Uploader Dev Tool Compromised in Supply Chain ]

In addition to GitHub, GitGuardian’s report also called attention to sensitive information exposed in Docker Hub images.

“The layers making up Docker images are as many additional attack surfaces that can too easily be left out of the security perimeter. For attackers, it is yet another chance of finding an access vector, just as demonstrated by the Codecov breach,” the company said, referencing the April 2021 supply chain compromise that rattled much of Silicon Valley.

“If there is a single conclusion to be drawn from [this data], it is that the amount of work required for both remediating real-time incidents and investigating leaks detected in the git history (which can still represent a threat) far exceeds current AppSec teams’ capabilities,” the company warned.

Related: GitGuardian Raises $44 Million to Create Code Security Platform

Related: Codecov Bash Uploader Dev Tool Compromised in Supply Chain

Related: Thousands of Secret Keys Found in Leaked Samsung Source Code

Related: Twilio, HashiCorp Among Codecov Supply Chain Hack Victims

Related: OpenSSF Alpha-Omega Project Tackles Supply Chain Security

view counter

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a journalist and cybersecurity strategist with more than 20 years experience covering IT security and technology trends.
Ryan has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and Kaspersky GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan’s career as a journalist includes bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive’s ZDNet, PCMag and PC World.
Ryan is a director of the Security Tinkerers non-profit, and a regular speaker at security conferences around the world.
Follow Ryan on Twitter @ryanaraine.

Previous Columns by Ryan Naraine:
Tags:



Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published.