GitGuardian reported yesterday that organizations leaked more than 6 million passwords, API keys and other secrets last year.
That is just in the code that they scanned.
This is double the number found the year before.
In part, this is due to better software that can sniff out these secrets.
That translates to 3 out of every 1,000 commits leaks a secret.
More than half of those secrets were access credentials.
They said this is an overwhelming problem. For example, a typical company with 400 developers leaked 1,050 UNIQUE secrets in their code. They also said that, on average, each application engineer at a company has to deal with more than 3,400 leaked secrets.
These numbers are not encouraging. In fact, they are downright alarming.
But what to do.
The only way to deal with this successfully is to make it a team effort. Protecting secrets is a design requirement (secure by design). That means that your development team needs to make this a priority.
Even though many of those code repositories are not public, if an attacker were to compromise a developer’s account or workstation, (I know, developers are too smart to get compromised – sure), then they can quietly scan anything that the developer has access to. Likely totally undetected. If the attacker was not in a hurry, he or she could scan all code the developer had access to over months or even years.
Done right, the victim company would have no clue how they were compromised.
Credit: Dark Reading