Freely subscribe to our NEWSLETTER

GitGuardian scanned 1.027B new commits in 2022 (+20% compared to 2021) and found 10,000,000 secrets occurrences (+67% compared to 2022). What is interesting beyond this ever-increasing number is that 1 code author out of 10 exposed a secret in 2022.

It is a common myth that junior developers mostly commit hard-coded secrets, but the reality is that this can happen to any developer, regardless of their experience or seniority.

Secrets are not just any kind of credentials; they securely hold together the components of the modern software supply chain, from code to the cloud. And because of the leverage they provide, they have become hackers’ most sought-after information. However, many breaches that occurred in 2022 pointed up how inadequate their protection is.

Two recent examples illustrate how secrets can be exploited in an attack:
Uber September 15, 2022: an attacker breached Uber and used hard-coded admin credentials to log into Thycotic, the firm’s Privileged Access Management platform. They pulled a full account takeover on several internal tools and productivity applications.

CircleCI December 29, 2022: an attacker leveraged malware deployed to a CircleCI engineer’s laptop to steal a valid, 2FA-backed SSO session. They could then exfiltrate customer data, including customer environment variables, tokens, and keys.

“Secret data, including tokens and keys found on open repositories such as GitHub, are easily re-sold (or in some cases, shared for free) on the darknet and deep web. There is an extensive amount of sensitive information available for download on the darknet and deep web, ranging in prices from free to several thousands of dollars.” Mark Turnage, DarkOwl CEO & Co-Founder

More than 80% of all the secrets caught by live monitoring GitHub are exposed through developers’ personal repositories, and a large share of them are, in fact, corporate secrets. Multiple hypotheses can explain why this happens. Of course, malicious behaviors cannot be discarded, including hijacking corporate resources and other shady motives. But the sheer scale of the phenomenon hints at something else: most of this happens because error is human and misconfiguring Git is easy.

“If a colleague in security said to me that secrets detection is not a priority, I would say that’s a mistake. Most of the big security problems come from either social engineering attacks or credential stuffing. So, it’s really important to know that your engineers and your employees are going to leak secrets. That’s life. Most of the time, it’s due to mistakes. But if it happens, we need to act on it. The more engineers there are, the more there is potential for leaks to happen.”
Theo Cusnir - Application Security Engineer at PayFit

We should not forget that private source code can end up in the public space by error or because it was stolen. The recent Samsung, Nvidia, Microsoft, and Dropbox code leaks are good examples.

Like many other security challenges, poor secrets hygiene involves the usual trifecta of people, processes, and tools. Organizations serious about taming secrets sprawl must work simultaneously on all these fronts.

"Our mission is to secure code and the SDLC. We want to do it with a transparent, simple and pragmatic approach starting first with one of the most important issue in appsec: secrets in code". Eric FourrierCEO