Secrets in GitHub reached 10 million occurrences last year, an increase of 67% from 2021. The historical high poses a significant threat to the software supply chain.
The ever-increasing numbers were unveiled in GitGuardian's State of Secrets Sprawl 2023 report this week following the company’s extensive analysis of over 1 billion new commits on the open-souce software platform in 2022. What is noteworthy beyond that is that one out of 10 code authors exposed a secret, while 5.5 commits out of 1,000 exposed at least one secret.
Secrets are not just credentials but serve as a cohesive force to various components of the modern software supply chain, wrote GitGuardian. Given their significance, they have been heavily targeted by hackers and drove major security incidents in 2022.
For example, secrets were exploited in attacks against Uber as a hacker used hard-coded admin credentials to log into the company's Privileged Access Management platform, resulting in a full account takeover on several internal tools and productivity applications.
Other incidents include stolen source code repositories affecting Microsoft, LastPass, Okta, Samsung, NVIDIA, Dropbox, Slack, and secrets leaked publicly impacting over 18,000 Android apps, Infosys, and TOYOTA.
Hard-coded secrets risk software supply chain
Michael White, technical director and principal architect at Synopsys, urged developers to avoid using hard-coded secrets as they are often stored in plain text and can be easily extracted from the source code. And once attackers obtain the secrets from one compromised system, they will move laterally across the network and gain access to others.
This type of attack is also harder to detect given that hard-coded secrets are valid credentials, Timothy De Block, application security engineering practice lead at GuidePoint Security, told SC Media. For example, Toyota revealed last year that a partial copy of its T-Connect source code had been exposed for five years without being noticed, affecting over 290,000 customers.
"[Hard-coded secrets] puts the software supply chain at risk by allowing attackers to move around the environment easily, while remaining undetected for an extended period of time," Block said.
Human error driving the risk
GitGuardian's analysis found that over 80% of secrets are exposed through developers' personal repositories, and a large portion of them are, in fact, corporate secrets. While malicious intent cannot be completely ruled out, the scale of the issue suggests hints that this could be caused by human error as developers improperly configure their Git repositories.
"People tend to think that hard-coded secrets are committed most by junior developers. But surprisingly, our findings show that this happens to all levels of developers, regardless of their experience," Mackenzie Jackson, developer advocate at GitGuardian, told SC Media. "Senior developers are actually responsible for many hard-coded secrets. They have access to the most amount of keys, and when they have to deal with those keys under tremendous pressure and deliver quickly to meet business demands, they are very likely to make mistakes."
While developers need to raise awareness on the issue, GitGuardian noted that companies should "get a clear audit of the organization's security posture regarding secrets" to minimize the risk. Specifically, companies can start by asking themselves questions like "where and how are [those secrets] used? Where do they leak? How to prepare for the worst?"
To gradually shift to a "zero secrets-in-code" policy, GitGuardian also suggested following step-by-step strategies:
- Monitor commits and merge/pull requests in real time for all repositories with native VCS or CI integration.
- Enable pre-receive checks to harden central repositories against leaks, and "stop the bleeding."
- Educate about using pre-commit scanning as a seatbelt.
- Plan for the longer term: develop your strategy for dealing with incidents discovered through historical analysis.
- Implement a secrets' security champion program.
It is also worth highlighting that Docker images are one of the largest unmonitored attack surfaces, with GitGuardian finding more than 4,000 secrets being hard-coded in a 10,000 image sample.
Yotam Perkal, director of vulnerability research at Rezilion, told SC Media that this might be because Docker image has a different build process, and organizations do not monitor it as closely as they do for the secrets in the codes that they push to GitHub.
"These Docker files and the Docker build process should get the same amount of security attention as normal codes," Perkal said.
SC Media previously reported that numerous critical vulnerabilities hidden in hundreds of Docker containers, downloaded billions of times collectively and remain undetected by most vulnerability scanners and SCA tools.