The software supply chain security tool will host new secret-detection capabilities through the command-line interface to help developers prioritize remediation efforts. Credit: Gerd Altmann ReversingLabs has added new secret-detection capabilities to its software supply chain security (SSCS) tool to help developers prioritize remediation with context-based data on application development secrets.In a development environment, secrets refer to digital authentication credentials used in software components including login credentials, API tokens, and encryption keys.“We are using our knowledge of exposed secrets in the billions of files we’ve previously analyzed to provide that context,” said Tomislav Pericin, co-founder and chief software architect at ReversingLabs. “For example, commonly shared secrets used for testing open-source components that have been public for years are not secrets — so why tell developers to fix them.” Although essential for the proper functioning of software, effectively handling secrets throughout all parts of tcode — as well as during various stages of development such as the Software Development Life Cycle and Continuous Integration and Continuous Delivery (CI/CD) — can be difficult and may lead to the inadvertent exposure of secrets. In early 2021 CircleCI and CodeCov — two significant, cloud-based continuous integration and delivery platforms — experienced breaches that compromised user data, including environment variables and API tokens. The incidents highlighted the importance of exposed secrets and led to several organizations resetting their API tokens and taking other security measures to protect their applications and data.Problem of false positives in secrets detection Existing secret-detection tools are flooding developers with enormous amounts of false positives, causing them to bypass detections rather than triage and fix them, the company said. The primary principle used with ReversingLabs’ secret-detection system is that effective secrets analysis is only achievable when additional context can be automatically applied to determine if a detected secret is worth the remediation effort.ReversingLabs SSCS tool claims to cover 250 secret types, including private keys, version control, certs, and tokens. After detection, the tool enables teams to promptly verify the discovered secrets as true positives, pinpoint their exact location, identify the affected services, and check if these secrets are also exposed or leaked elsewhere.Prioritization helps reduce remediation fatigueReversingLabs’ software focuses on prioritizing remediation efforts by suppressing commonly shared secrets such as third party, open source, and testing keys, thus reducing the burden of manual triage.“The status quo with secrets is to detect a lot of items and hope someone has time to triage and remediate. That’s not sustainable when large software releases can contain thousands of secrets,” Pericin added. “Our solution is different because the focus of most of our new capabilities is on removing the noise from secrets detection with automated triage.”In addition to contextual prioritization, ReversingLabs’ software enforces just-in-time secrets management, canary token management, and custom detection policies. While just in time and canary token management effects a timely resolution to the detections, custom detection policies help achieve fine-grained control on the detection rules.The software also provides the historical context of a detected secret, outlining whether the secret has already been exposed, and if or when to underscore the level of risk associated with other non-actionable false positives. The secret-detection feature is already available on ReversingLabs’ SSCS tool through the command-line interface for no additional costs. Related content news F5 patches BIG-IP Next Central Manager flaws that could lead to device takeover Two high-risk vulnerabilities could allow attackers to gain full administrative control on devices via leaked password hashes. By Lucian Constantin May 08, 2024 5 mins Threat and Vulnerability Management Cloud Security Vulnerabilities news Suspected Chinese hack of Britain’s Ministry of Defence linked to contractor, minister confirms The UK’s defence minister would not confirm that the attack was conducted by an element of the Chinese state, rather blaming the “potential failings” of a partner. By John Dunn May 08, 2024 4 mins Aerospace and Defense Industry Data Breach Government news analysis Massive security hole in VPNs shows their shortcomings as a defensive measure Researchers found a deep, unpatchable flaw in virtual private networks dubbed Tunnelvision can allow attackers to siphon off data without any indication that they are there. By Evan Schuman May 08, 2024 8 mins Threat and Vulnerability Management Data and Information Security Network Security news DocGo says hackers stole patient data in a recent cyberattack The attack compromised some healthcare data with no material or financial losses, the company said. By Shweta Sharma May 08, 2024 3 mins Data Breach Hacking PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe