Secret Scanning

Secret Sprawl: Current Snapshot and How to Fix It 

PingSafe’s research team has detected the presence of over 6 Million secrets on Public GitHub Repos by scanning over 1.4 Billion commits (as of October 2022).

Anand Prakash

Written by Anand Prakash

November 19, 2022 | 5 min read

Secret Sprawl

Cyber attacks have grown exponentially over the past few years (estimated to cost organizations $10.5 Trillion annually by 2025) due to the presence of various types of vulnerabilities and misconfigurations, commonly found across software environments that attackers can exploit.

Most large-scale cyber attacks have exploited more than one type of Vulnerability, one of which is a compromised credential or a leaked secret. Leaked secrets are one of the most challenging problems for security teams because of their sheer reach and the adverse impact on the organization. A hard-coded secret can quickly sprawl across the environment: build/run time logs, stack traces, git history, container images, etc., often with devastating impact.

PingSafe’s research team has detected the presence of over 6 Million secrets on Public Repos by scanning over 1.4 Billion commits (as of October 2022). Among these, keys related to data storage and cloud provider accounts contributed to around 40% of all leakages. These leakages could result in security breaches, costing companies billions yearly in direct costs, penalties, and depreciating their brand value.


Scanned Public and Private repositories hosted across GitHub, GitLab and BitBucket

For private repositories, keys related to data storage and cloud provider accounts contributed to around 75% of all leakages, which is alarmingly high and almost 90% more than what we observed in the case of public repositories. 


Scanned Public and Private repositories hosted across GitHub, GitLab and BitBucket

1 out of every 5 secrets detected for an org was leaked through public repositories belonging to that org or its developers.

We also found that the average number of times the same secret is committed at different places in private repositories is 7, depicting how easily leaked secrets can sprawl across the environment and result in remediation challenges. 

Remediation and Way Forward

Given the scarcity of security professionals and the widespread prevalence of alert fatigue, investigating and remediating leaked secrets can be overwhelming, both in terms of capabilities and bandwidth of the security team. With increased organizational growth and scale of the development process, the access and adoption of tools and resources by developers also multiplies.

The absence of secure policies and security tools for managing secrets in the development process leads to the problem of secrets sprawl.

To secure the source code and reduce security loopholes, organizations need to adopt a security first or a zero-trust mindset. To implement this successfully, software developers, DevOps teams, and security engineers need to join hands, build and enforce policies that enable identification of leaks during the pre-production stage. 

We, at PingSafe, have created a secret scanning engine to help security teams across the world solve secrets sprawl.

PingSafe’s Secret Scanning

PingSafe’s proprietary secret scanning engine can identify hard-coded secrets in your code and other public repositories that can be an easy target for attackers.

We scan over 800+ different types of secrets and cloud credentials in your code repositories. The intelligence gathered from scanning more than 1.4 Billion commits to date makes PingSafe’s Secret Scanning Engine the most robust and reliable; with the ability to detect a secret within 2 minutes.

Repository Scanning

PingSafe sends instant alerts about the presence of hard-coded secrets across all the private repositories owned by an organization.

In addition to detecting leaked secrets in private and public repositories of an organization, PingSafe notifies about new and existing public repositories created under the organization’s account.

Open Secret Scanning

Through PingSafe’s Open Secret Search, all public repositories across the web are scanned to alert you of any leaked secret and provide the required details related to its source.

The platform provides information related to the code repository, source code, user, and more, along with recommended actions to help you mitigate the issue.

Restricts code that contains leaked secret before it goes into production

PingSafe restricts the code containing leaked secrets that could have possibly merged, allowing you to detect issues early in the development cycle. 

Below is a sample pull request blocked by PingSafe containing hard-coded secrets in the code.

Conclusion

Secrets sprawl is a pressing problem accelerated by the nature of the development and consumption of tools, resources, third-party services, applications, and libraries. Exploiting leaked secrets is one of the most common methods used by attackers.

We, at PingSafe, want to help more and more businesses across the globe to develop the right mindset, cloud security approaches, and guidelines to prevent leaked secrets and secure their infrastructure. 

To see how PingSafe can secure your multi-cloud environment, sign up for a personalized demo today. 

Similar Articles