CEO of GitGuardian, a code security platform for the DevOps generation, has issued an annual report titled “The State of Secrets Sprawl,” highlighting the large number of secrets that were accidentally published to public repositories on GitHub in the past year. In addition to the sheer volume of leaked secrets, the report also sheds light on what happens after these secrets are discovered.
In the world of IT, a secret refers to sensitive data or credentials that are meant to be kept confidential and secure to prevent unauthorized access. These secrets can include passwords, cryptographic keys, API tokens, or any other information that grants access to restricted systems, resources, or data. Secrets play a critical role in securing IT systems and applications as they are used for authentication purposes.
GitGuardian provides a pro-bono service to alert repository owners when leaked secrets are found in their public Git commits. However, many repository owners fail to properly remediate the issue even after being notified. In some cases, owners delete or privatize their repositories without revoking the leaked secret, leaving it vulnerable to exploitation.
A leaked secret becomes a “zombie” when the owner ignores the fact that it was exposed or believes the issue is resolved by removing public access to the secret without revoking it. Various remediation methods, such as overwriting files or deleting branches, may not effectively prevent malicious actors from exploiting the leaked secrets.
To prevent secrets from becoming lurking dangers, it is crucial to revoke them once they are leaked. This process involves implementing safer secret usage methods, creating new secrets to replace the leaked ones, pushing new code to production, and revoking the old secrets rendering them useless to potential attackers.
Failure to address leaked secrets can have legal consequences, with regulators and legislators enforcing new cybersecurity requirements. For instance, the EU’s Digital Operational Resilience Act and the U.S. Cybersecurity and Infrastructure Security Agency have implemented rules to ensure the cybersecurity of organizations, including requirements for secure software development and vulnerability management practices.
In conclusion, organizations cannot afford to have substandard policies and procedures when it comes to managing leaked secrets. With growing regulatory scrutiny and legal consequences for non-compliance, it is imperative for companies to take proactive measures to detect and mitigate leaked secrets to safeguard their systems and customers. Proactive steps such as implementing secrets management services and following best practices in secure software development are essential to protecting sensitive information and maintaining cybersecurity resilience in today’s digital age.
