Hard-coded secrets up 67% as secrets sprawl threatens software supply chain

The number of detected hard-coded secrets increased by 67% last year compared to 2021, with 10 million new secrets discovered in public GitHub commits in 2022. That’s according to GitGuardian’s State of Secrets Sprawl 2023 report. It found that hard-coded secrets and accelerating secrets sprawl (storing secrets in many different places) are threatening the security of software supply chains.

Hard-coded secrets pose significant security risks because they are often stored in plain text, making it easier for attackers to extract them from source code. They can also be inadvertently disclosed or exposed through other security vulnerabilities like code injection or data leaks.

2022 a very “leaky” year for secrets

GitGuardian scanned over one billion GitHub commits from last year, revealing that 2022 was particularly leaky in relation to secrets. Of the 13.3 million distinct authors who pushed code to GitHub in 2022, 1.35 million accidentally exposed a secret, while 5.5 commits out of 1,000 exposed at least one secret, a 50% increase on 2021, the report stated. GitGuardian categorized two types of secret specification – specific and generic. Specific detectors matched recognizable secrets such as AWS access keys or MongoDB database credentials, with specific secrets accounting for 33% of the secrets detected in the research. Generic secrets accounted for 67% of secrets detected, with generic detectors matching secrets such as company email and passwords that were hard-coded in a file.

The top specific secrets caught in 2022 were google_api_key, private_key_rsa, private_key_generic, googlecloud_keys, and postgresql_credentials. Passwords, high entropy secrets, and usernames/passwords were the most-found generic secrets, according to GitGuardian. The report cited recent examples that saw secrets exploited in attacks against Uber and CircleCI; stolen source-code repositories affecting the likes of LastPass, Microsoft, Okta, and Samsung; and publicly exposed secrets impacting Android, Toyota, and Infosys.

Hard-coded secrets, secrets sprawl threaten software supply chain

Hard-coded secrets and secrets sprawl pose significant threats to the security of software supply chains, the report read. “Secrets can get exposed in more ways than one, and source code is an asset that can quickly be lost to subcontractors and, of course, source-code theft.” Discussions and activity relating to API secret sharing on the dark web is also an increasing issue, it added. “Discussions around stealing and selling API keys is a relatively new phenomenon in the darknet over the last couple of years that we expect to continue to grow.” Threat actors who are looking to facilitate the wider distribution of malware through supply chain compromises have also discussed credentials and pivot points sourced from open repositories, the report continued.

“The key issue is that a hard-coded secret is not only difficult to change – which is a very desirable feature both for security and non-security reasons such as infrastructure upgrades – but also can be exposed to anyone who has access to the source code,” Fernando Montenegro, senior principal analyst at Omdia, tells CSO. This is a significant issue that can result in an attacker using the information for impersonation or for obtaining further sensitive details about the environment, he adds. “The consequences can range from negative auditing findings all the way to complete infrastructure compromise and massive data exfiltration. Currently, it’s common for these secrets to find their way into source code control systems such as Git, which then potentially exposes those secrets much more widely, perhaps even to the general public.”

Hard-coded secrets are prone to exposure and compromise and pose an insider threat with resources familiar with secrets, agrees Sohail Iqbal, CISO at Veracode. “Hard-coded secrets in commercial products pave the way for large scale DDoS attacks. A significant number of rising supply chain attacks indicates a high risk for CI/CD pipelines with embedded secrets.”

Addressing security risks of hard-coded secrets, secrets sprawl

Companies must understand that source code is one of their most valuable assets and must be protected, the report concluded. “The very first step is to get a clear audit of the organization’s security posture regarding secrets: Where and how are they used? Where do they leak? How to prepare for the worst? Like many other security challenges, poor secrets hygiene involves the usual trifecta of people, processes, and tools. Organizations serious about taming secrets sprawl must work on all these fronts simultaneously.”

Hard-coded secrets detection and mitigation can be shifted left at various levels to build defense-in-depth across the development cycle, GitGuardian added. Useful strategies include:

• Monitor commits and merge/pull requests in real-time for all repositories with native VCS or CI integration.
• Enable pre-receive checks to harden central repositories against leaks.
• Plan for the longer-term: develop your strategy for dealing with incidents discovered through the historical analysis.
• Implement a secrets security champion program.

“Designing environments to not use hard-coded secrets should be a high priority for most organizations,” adds Montenegro. “Solutions will vary, including secrets management tooling, source code reviews, and much more. The first step is widespread acceptance within the organization – from developers and security engineers all the way up through their respective management chains – that hard-coded secrets are a ‘must fix’ security design flaw.”