Majority of US, UK CISOs unable to protect company ‘secrets’: Report

About 52% of chief information and security officers (CISOs) in the US and UK organizations are unable to fully secure their company secrets, according to a report by code security platform GitGuardian. The report pointed out that even though secrets management practice across the US and the UK has seen some maturity, it still needs to go a long way.

About three-quarters of the respondents to the survey reported at least one past leak.

The study, commissioned through Sapio Research, analyzed responses from 507 IT decision makers including IT directors, vice presidents of IT, CIOs, CSOs, CISOs, and vice presidents of cybersecurity, to assess awareness of the risks posed by exposed secrets in DevOps environments.

“Every year, GitGuardian publishes its annual report the State of Secrets Sprawl where we report on the growth of the number of secrets found on public GitHub,” said Thomas Segura, cyber security expert at GitGuardian. “With this new study, the goal was to better understand awareness of the problem in the field and the obstacles encountered by security leadership.”

The study, titled “Voice of Practitioners”, follows GitGuardian’s “State of Secrets Sprawl 2023” report published earlier this year, which revealed 10 million source code secrets detected by the company on public Github in 2022, a 67% jump since last year.

Industry is wary of leaked secrets

The study showed that a huge chunk of the US and UK-based IT sector realizes the danger of exposed secrets. Seventy-five percent of the respondents said that a secret leak has happened in their organization in the past, with 60% acknowledging it caused serious issues for the company, employees, or both.

The exposed secrets included API keys, usernames, passwords, and encryption keys, etc. Only 10% of respondents with a past leak said that the leak did not affect the company or its employees.

When asked about the key risk points within their software supply chains, 58% found “source code and repositories” as the core risk area, with other 53% and 47% respectively indicating “open source dependencies” and “hard-coded secrets” as troubling points.

“It makes sense that the repositories would be a rich target for security vulnerabilities including secrets,” said Melinda Marks, an analyst at ESG. “It’s important to remember that cloud-native application security is not just about securing code within an application; you have to secure everything used to run and build the app. The CI/CD pipelines and their associated repos, which enable teams to rapidly build their applications and collaborate, really drive the efficiency of cloud-native development.”

The figures basically meant that “the majority of respondents consider secrets protection to be a critical component of application risk management,” according to the GitGuardian study.

Management isn’t quite there yet

Although the secrets management practice across the sector has seen some maturity, it still has to go a long way. A simple question about the extent to which secuirty professionals are presently able to prevent secrets from being leaked elicited a mixed bag of responses. While half (48%) of the respondents said they can prevent such leaks “to a great extent,” the remaining answered “to some extent” or to “very little” extent.

Also, when asked about their hard-coded secrets strategy, 27% of the respondents revealed that they rely on manual reviews to detect hard-coded secrets, indicating an outdated, ineffective way of secrets management. Additionally, 17% believed they didn’t need secrets detection as they use a secret manager or a vault, and 3% confessed to not having a strategy at all.

A significant share (53%) of senior security respondents also admitted that secrets were being shared in plain text messages within development teams.

“I think the biggest issue is just that developers may be careless about exposing secrets when they are writing code, but they forget to remove important data, credentials, or secrets when they commit code. Developer training and awareness is important, as well as giving them tools to easily find and correct security issues,” Marks said.

The study noted that secrets detection and remediation, as well as secrets management, are less prioritized (in terms of investment) compared to other tools, notably runtime protection tools. While 38% of respondents revealed plans to invest in runtime application protection tools, only 26% and 25% respectively said they will put money into secrets detection and remediation and secret management.

GitGuardian findings did, however, reveal a brighter side in the sense that 94% of the respondents said they were, in one way or another, considering improving their secrets practices in the coming 12-18 months.

Automated code reviews and secret scanners can help

Code reviews can be enhanced by automated code verification, such as running SAST (static analysis), SCA (software composition analysis), and secrets scanner, according to Segura.

“The latter is a must because a secret may have been deleted and be hidden from the reviewer while still representing a vulnerability present in the code history,” Segura said.

GitGuardian said depending on secret scanners may not be enough to safeguard your organization.

“Secret scanners can help, yes. But the bigger issue with secrets is the faster speed and volume of their releases. Secrets are an element that can scale rapidly with cloud-native development. So, it’s not just whether there is scanning, it’s the efficacy of the scans to reduce false positives, and then having the context to drive efficient remediation to reduce security risk,” Marks said.

The study recommends the prevention of secrets leaks with pre-commit measures since remediation can be tricky as gathering context for leaked secrets for prioritization is crucial and can come with friction.