Leakage of software secrets – meaning passwords, API keys, encryption keys, and other sensitive data that software systems use for authentication and authorization purposes – can have grave consequences for enterprise cybersecurity. This is why it’s crucial to prevent secrets exposure and possible leakage. This article explains how, by discussing common reasons why software secrets slip out, and then providing best practices and tips to help prevent exposed secrets. We’ll also cover the process of secrets detection, which is important for identifying secrets within application code that you may not even have known about. What are secrets in software? Again, a software secret is any type of information that can be used to access a software system or data. Common examples of secret data include passwords, API keys, encryption keys and certificates. Secrets should only be available to human or machine users who are supposed to have access to them – such as IT staff who need to log into a server, or an application that needs a key to call an API. However, oversights during the software development and deployment process can create situations where secrets become accessible to unauthorized users. These could be people within an organization who are able to access secrets that should not be available to them based on their role. Unauthorized users can also include external parties, such as threat actors seeking secrets to help them carry out a breach against an organization. What is secret leakage? Secret leakage is the exposure of software secrets to unauthorized parties. In other words, when secrets fall into the wrong hands – whether or not those hands are actively seeking to misuse the secret information – secret leakage occurs. It’s important to note that secrets leakage is not limited to scenarios where cybersecurity attacks actually happen. Any unintended exposure of secrets qualifies as secrets leakage. Take a proactive approach to secret security 83 percent of organizations report having experienced at least one security incident due to secrets leakage. Read more about the impact of secrets exposure on enterprise security Common causes of secret exposure There are many ways in which secret exposure can occur. Among the more frequent scenarios for secrets leakage are: Storing sensitive data in plain text: If access credentials are stored in an unencrypted, plain text file, anyone who is able to access the file can view the secrets. This may occur if, for example, developers “hardcode” passwords, encryption keys, or API keys in software source code. Since source code is usually stored in the form of plain text (and is stored in repositories accessible by many), it is a major vector for secrets exposure. Overprivileged users: Secrets exposure can occur when users inside an organization have privileges to access secrets that should not be available to them. Imagine, for example, that every developer inside a company has access to all of the organization’s API keys. A more secure approach would be to provide each developer with access only to the specific keys he or she needs.. Accidental exposure of secrets to public access: Sometimes, technical staff accidentally make sensitive information available to unauthenticated users. For instance, a developer might make a source code repository on GitHub public when it should be private. In this case, any access keys, passwords, tokens, or other sensitive data inside the repository would be visible to anyone on the Internet. Phishing: Threat actors looking for secrets that they can exploit to carry out breaches may launch phishing attacks as a means of “tricking” a company’s employees into handing over secrets. Secret leakage: Real-world examples The risks of secret leakage are far from theoretical. Consider the following real-world examples of secret leakage and their impact on organizations. Uber secret breach In 2016, attackers gained access to the personal information of around 57 million Uber drivers and customers. The root cause of the breach was stolen login credentials from an Uber employee, which threat actors were able to purchase on the Dark Web. Slack token exposure Like many modern businesses, Slack uses GitHub to manage its source code. In late 2022, the company reported that threat actors had managed to access private GitHub repositories that contained access tokens. According to Slack, the attackers did not actually use the tokens to carry out malicious activity. Nonetheless, the incident underscored how even private repositories can become vectors for secret leakage. SolarWinds’s hardcoded credential SolarWinds – the same company that reported a breach of its software source code in 2020, leading to a major software supply chain vulnerability for customers – more recently experienced a vulnerability caused by a hardcoded credential in one of its products. SolarWinds reported that it fixed the issue before any major breaches occurred. But here again is an example of how something as seemingly simple as a single access credential lingering within a product’s code can lead to major risks. How to stop secret exposure in software platforms Now that we’ve covered the causes of secret exposure, let’s discuss how to prevent this risk. Because secrets may leak from software systems in multiple ways, there is no single step that businesses can take to protect themselves. Instead, preventing secrets exposure requires a multi-faceted strategy rooted in the following secrets management best practices. Educate developers For starters, developers should understand how to manage secrets properly. They should learn why practices like hardcoding secrets are risky, and which alternatives (such as using a secure secrets manager or secrets vault, tools designed to store secrets centrally and make them available only to authorized users) they should follow instead. Prevent secret sprawl Secret sprawl occurs when an organization’s secrets are scattered across a variety of systems. This makes it difficult to know which secrets exist, let alone whether they are secured. A better approach is to store secrets in a central location. Typically, businesses do this by using a secrets manager or secrets vault. Scan for secrets Even if employees are well-educated about secrets management best practices, it’s impossible to guarantee that no secrets will slip through the cracks. To that end, organizations should use secrets scanners, which can automatically detect secrets within application source code, databases, configuration files, and so on. Scanning for secrets allows businesses to identify secrets that, despite their best efforts, are exposed in insecure locations. Use temporary secrets Instead of allowing secrets to remain valid indefinitely, consider using them temporarily. For example, when configuring access tokens, set them to expire after a fixed period. Temporary secrets won’t prevent the exposure of secrets to unauthorized users. However, they can minimize the impact of secret leakage if it does occur by reducing the chances that secrets will still be usable when they become available to attackers. Protect secrets across all stages of the SDLC Secrets can leak from codebases in a variety of ways – which is part of the reason why securing secrets can be so challenging. Learn how Checkmarx One helps teams find and secure secrets Keeping your secrets secret The best software secrets are those that remain secret – which is why it’s critical for organizations not just to follow best practices when creating and managing secrets, but also to deploy secure secrets detection solutions like those available within the Checkmarx One cloud-native application security platform. Checkmarx One helps deliver confidence that no secrets within your software systems linger undetected and unsecured. Learn more by requesting a demo.
