Around 52% of chief information and security officers (CISOs) at organizations in the US and UK are unable to fully protect their company’s secrets, according to a report by code security platform GitGuardian. The report noted that while the practice of managing secrets in the United States and the United Kingdom has seen some maturity, it still has a long way to go.
About three-quarters of survey respondents reported at least one past leak.
The study, commissioned through Sapio Research, analyzed responses from 507 IT leaders, including CIOs, VPs of IT, CIOs, CSOs, CISOs and VPs of cybersecurity, to gauge awareness of the risks posed by exposed secrets in DevOps environments.
“Each year, GitGuardian publishes its annual report, State of Secrets Sprawl, where we report on the growth in the number of secrets found on public GitHub,” said Thomas Segura, cybersecurity expert at GitGuardian. “With this new study, the goal was to better understand the awareness of the problem in the field and the obstacles security leadership encountered.”
The study, titled “Voice of Practitioners,” follows GitGuardian’s “State of Secrets Sprawl 2023” report released earlier this year, which revealed 10 million source code secrets detected by the company on public Github on 2022, a jump of 67% compared to last year.
The industry is wary of leaked secrets
The study showed that a large part of the IT sector based in the United States and the United Kingdom realizes the danger of exposed secrets. Seventy-five percent of respondents said that a secret leak has occurred in their organization in the past, and 60% acknowledged that it caused serious problems for the company, employees, or both.
The exposed secrets included API keys, usernames, passwords and encryption keys, etc. Only 10% of respondents with a past breach said the breach did not affect the company or its employees.
When asked about key risk points within their software supply chains, 58% found “source code and repositories” as the top risk area, while another 53% and 47% respectively , cited “open source dependencies” and “encoded secrets” as points of concern.
“It makes sense that repositories are a rich target for security vulnerabilities, including secrets,” said Melinda Marks, an analyst at ESG. “It’s important to remember that cloud-native application security isn’t just about securing the code inside an application; you must protect everything used to run and build the application. CI/CD pipelines and their associated repositories, which enable teams to quickly build their applications and collaborate, really drive the efficiency of cloud-native development.”
The numbers essentially meant that “the majority of respondents consider protecting secrets to be a critical component of application risk management,” according to the GitGuardian study.
The management is not quite there yet
While the practice of secret management across the industry has seen some maturity, it still has a long way to go. A simple question about how well security professionals are currently able to prevent secrets from being leaked elicited a mixed bag of responses. While half (48%) of respondents said they can prevent such leaks “to a large extent”, the rest answered “to some extent” or “to a very small extent”.
Additionally, when asked about their coded secrets strategy, 27% of respondents revealed that they rely on manual reviews to detect coded secrets, indicating an outdated and ineffective way of managing secrets. In addition, 17% believed they did not need secret detection as they used a secret manager or vault, and 3% confessed to having no strategy.
A significant proportion (53%) of senior security respondents also admitted that secrets were being shared in plain text messages within development teams.
“I think the biggest problem is that developers can be careful about exposing secrets when they write code, but they forget to remove important data, credentials, or secrets when they commit code. Developer training and awareness is important, in rather than giving them tools to easily find and fix security issues,” Marks said.
The study noted that secret detection and remediation, as well as secret management, have a lower priority (in terms of investment) compared to other tools, particularly runtime protection tools. While 38% of respondents revealed plans to invest in runtime application protection tools, only 26% and 25%, respectively, said they will spend money on detecting and remediating secrets and secret management
GitGuardian’s findings, however, revealed a brighter side in that 94% of respondents said they plan to improve their secrecy practices in one way or another in the next 12-18 months.
Automated code reviews and stealth scanners can help
Code reviews can be improved by automated code verification, such as running SAST (static analysis), SCA (software composition analysis) and secret scanner, according to Segura.
“The latter is imperative because a secret may have been deleted and hidden from the reviewer while still representing a vulnerability present in the code history,” Segura said.
GitGuardian said that relying on secret scanners may not be enough to safeguard your organization.
“Secret scanners can help, yes. But the biggest problem with secrets is the faster speed and volume of their releases. Secrets are an item that can scale quickly with cloud-native development. So no it’s not just whether there’s scanning, but how effective the scans are at reducing false positives and then having the context to drive efficient remediation to reduce security risk,” Marks said.
The study recommends preventing secret leaks with pre-commitment measures, as remediation can be complicated, as gathering the context of leaked secrets to prioritize is crucial and can lead to friction.
Copyright © 2023 IDG Communications, Inc.
A recently released report has revealed that the majority of Chief Information Security Officers (CISOs) in the US and UK do not have adequate strategies to protect their companies’ confidential information. The report, produced by the security firm Ikaroa, has revealed that the majority of reported cases involved weak passwords and limited oversight of data sharing processes. The findings demonstrate that effective security oversight within companies is key, as the threat landscape continues to evolve at a rapid pace.
Organizations around the world have an obligation to ensure that their confidential data is safe. In order to do this, companies need to be aware of the latest security threats, as well as have effective security procedures in place. Those responsible for a company’s security must remain vigilant, both through the use of secure IT systems and through frequent reviews and updates of security policies.
Security measures such as two-factor authentication should be put in place to ensure that confidential data is not accessed by unauthorized individuals. Encrypted storage and the regular backup of confidential information should also be used to ensure its safekeeping. While these measures can add to the cost of business operations, not implementing them can prove to be much more expensive in the long run.
The role of the CISO is also of paramount importance. CISOs should be thoroughly trained in the most up-to-date security threats and practices, and have a good understanding of best practices when it comes to data handling. Experienced CISOs should be able to recognize the importance of data protection and take the necessary steps to secure it.
Ultimately, the success of any company’s security efforts lies in the hands of its executives. They need to stay informed of the latest security threats and make sure that adequate measures are in place to protect data and customer information. As the latest report from Ikaroa reveals, executives must ensure that their security policies are up to date and that their CISOs are properly trained if they are to successfully protect their companies from the mounting security threats.