Summary
Secrets detection helps organizations identify insecurely managed access credentials, such as passwords that are hardcoded into text files. In this way, it allows them to discover risky secrets before attackers can find and exploit them.
In the context of software security, secrets are any type of information that permits access to systems or data – such as passwords, API keys, and access tokens. Secrets are widespread within modern IT environments, since users frequently rely on them to log into applications or services or unlock encrypted information.
Unfortunately, it’s not only legitimate users who can access secrets. Sometimes, attackers manage to locate secrets, especially if the secrets are stored in an insecure location, like a software code repository. When secrets fall into the wrong hands, they could lead to breaches that compromise an organization’s IT resources.
This is why secrets detection is an important part of modern cybersecurity strategies. By helping businesses to identify secrets that they may not be managing securely, secrets detection allows organizations to find and protect sensitive access information before attackers have a chance to abuse it.
Secrets detection: A definition
Secrets detection is the practice of finding sensitive secrets – meaning passwords, API keys and any other type of information used to grant access to an IT resource – within code repositories or other locations that lack adequate security controls.
Secrets detection automates the process of identifying secrets. This means that it allows teams to search through all of their software development environments quickly and with no manual effort beyond the small amount of time necessary to configure and deploy secrets detection tools.
Secrets detection example
For example, imagine that a developer creates the following Bash script to connect to a database:
#!/bin/bash
# Use the password in a simulated command
echo "Connecting to the database with the password..."
psql -h localhost -U admin -d database_name -W “top secret password”
This script uses a hardcoded password (“top secret password” in this example) to establish the connection to the database by feeding the password directly into the database connection command. This is insecure because anyone who is able to view the script would have access to the database password. A better approach would be to have the database prompt the user for the password interactively or (if that’s not possible because the login needs to be fully automated) to use a hashed password to log in.
A secrets detection tool could identify this risk by scanning the file, locating the line that includes the hardcoded password, and flagging it as insecure because it is a plain-text password available in an unencrypted file.
The importance of secrets detection
The ability to detect secrets automatically is valuable to businesses for two key reasons:
- If attackers manage to access secrets, they can log into systems or decrypt sensitive data with ease. Secrets give threat actors the same level of access to IT resources as legitimate users.
- It can be easy for developers to make mistakes or oversights that result in secrets being stored in insecure locations. For example, a developer might accidentally embed a secret in a plain text file when testing a system, and then forget to remove the secret after tests are done.
Put together, these points mean that secrets are both a prime target for threat actors and one that can be easy to attack.
Viewed from this perspective, secrets detection is important because it provides a means of finding secrets that may be lurking in software code or other locations without the knowledge of a business’s developers, IT team, or security analysts. In turn, secrets detection helps prevent secrets from leaking out of the development pipeline. An organization without a secrets detection process in place would risk not discovering secrets security problems until attackers have already carried out a breach using a stolen secret.
How secrets detection work
Typically, secrets detection tools work by automatically scanning software development environments and resources, such as the Git repositories that development teams often use to manage source code.
As they scan, the tools parse source code files, configuration files, databases, and any other resource that might contain an unencrypted secret – meaning one that is readable by anyone who has access to the resource in which the secret exists. They use pattern detection techniques to find strings within the resources that are likely to constitute secrets.
After locating secrets that developers may not have secured properly, secrets management software typically generates a list or report of where insecure secrets exist and which types of secrets they include. Using that information, developers can take steps to move the secrets to a secure location, such as a secrets management tool.
Secrets detection vs. secrets management
Secrets detection is related to secrets management, but they are distinct practices.
The purpose of secrets management is to ensure that developers and other stakeholders store and manage secrets properly. Typically, this entails preventing secrets sprawl, which is the scattering of secrets across various locations, many of which may be accessible to malicious parties. Instead, most secrets management strategies focus on storing all secrets in a central, secure secrets management tool.
In contrast, the purpose of secrets detection, as we’ve noted, is to find secrets that may not be stored securely. Secrets detection complements secrets management because, even if an organization has strict secrets management rules in place, there is typically nothing that can prevent employees from making mistakes that result in secrets being hardcoded into text files or other insecure locations. By automatically identifying such secrets, secrets detection helps to mitigate secrets management mistakes or oversights.
Best practices for secrets detection
To get the most out of secrets detection, consider the following best practices:
- Scan for secrets comprehensively: Secrets detection tools should scan all resources where secrets could possibly reside.
- Scan continuously: Because software resources change constantly, scanning for secrets periodically is not enough. Instead, teams should deploy scanning tools continuously so that they can detect insecure secrets as soon as they appear.
- Use multiple detection techniques: Because secrets can appear in many forms, the most effective secrets detection strategies employ multiple types of pattern-matching methodologies for finding different types of secrets.
- Contextualize secrets data: Contextual information, such as what a secret does and how recently it was added to a file, can help developers determine how best to remediate insecure secrets.
Detecting secrets with Checkmarx
Secrets detection is an integral feature of Checkmarx One. Learn how teams can quickly identify and eliminate access credentials lurking within software development environments by requesting a demo.