The vexing problem of valuable corporate secrets — API keys, usernames and passwords, and security certificates — publicly exposed in corporate repositories, according to a cybersecurity startup, is a major, unattended weak link in the software supply chain.
Multiple supply-chain security breaches have involved the compromise of leaked secrets, but new data from GitGuardian shows that secrets sprawl exists everywhere and is growing at alarming rates.
GitGuardian found that a typical company with 400 developers would have about 1,050 unique secrets leaking throughout its repositories and commits, according to a new report documenting its work looking for leaked corporate secrets.
Worse, the company claims that “there’s simply no way to manage the explosion of digital authentication credentials left exposed in modern code” at current security-to-developer staffing levels.
“With each secret detected in 13 different places on average, the amount of work required for remediation far exceeds current AppSec capabilities,” GitGuardian said. “With a security-to-developers ratio of 1:100*, one AppSec engineer needs to handle 3,413 secrets occurrences on average.”
This is an ongoing “nightmare” for security engineers, according to the Paris, France-based startup, which raised $44 million in venture capital to work on solving the secrets sprawl problem.
“Credentials are a security engineer’s nightmare because they can end up in so many places: build, monitoring, or runtime logs, stack traces, and… git history.” According to GitGuardian’s data, the number of publicly exposed secrets on GitHub has more than doubled since 2020.
In 2021, the company discovered more than 6 million secrets exposed, including IAM credentials, across all major public cloud infrastructure after running scans. “On average, three out of every 1,000 commits revealed at least one secret, up 50% from 2020.”
GitGuardian’s report also highlighted sensitive information exposed in Docker Hub images, in addition to GitHub.
“The layers that make up Docker images are just as many additional attack surfaces that are all too easily overlooked when it comes to security.” “It’s still another potential for attackers to find an access channel, as illustrated by the Codecov hack,” the business added, referring to the April 2021 supply chain breach that shook Silicon Valley.
“If there is a single conclusion to be drawn from [this data], it is that the amount of work required for both remediating real-time incidents and investigating leaks detected in the git history (which can still pose a threat) far exceeds the capabilities of current AppSec teams,” the company warned.