State of Secrets Sprawl Report Reveals 10M Secrets Occurrences Detected in 2022; Up 67% From 2021
GitGuardian Report Highlights Need for Secure Software Development; Secrets Sprawl Expands Globally and Threatens the Software Supply Chain
Paris, France - March 8, 2023 - GitGuardian, the world leader in automated secrets detection, today announced the results of its 2023 State of Secrets Sprawl report. The report is based on GitGuardian’s detailed analysis of public GitHub during 2022.
GitGuardian scanned 1.027B new commits in 2022 (+20% compared to 2021) and found 10,000,000 secrets occurrences (+67% compared to 2022). What is interesting beyond this ever-increasing number is that 1 code author out of 10 exposed a secret in 2022.
It is a common myth that junior developers mostly commit hard-coded secrets, but the reality is that this can happen to any developer, regardless of their experience or seniority.
Secrets are not just any kind of credentials; they securely hold together the components of the modern software supply chain, from code to the cloud. And because of the leverage they provide, they have become hackers’ most sought-after information. However, many breaches that occurred in 2022 pointed up how inadequate their protection is.
Two recent examples illustrate how secrets can be exploited in an attack:
Uber September 15, 2022: an attacker breached Uber and used hard-coded admin credentials to log into Thycotic, the firm’s Privileged Access Management platform. They pulled a full account takeover on several internal tools and productivity applications.
CircleCI December 29, 2022: an attacker leveraged malware deployed to a CircleCI engineer’s laptop to steal a valid, 2FA-backed SSO session. They could then exfiltrate customer data, including customer environment variables, tokens, and keys.
“Secret data, including tokens and keys found on open repositories such as GitHub, are easily re-sold (or in some cases, shared for free) on the darknet and deep web. There is an extensive amount of sensitive information available for download on the darknet and deep web, ranging in prices from free to several thousands of dollars.” Mark Turnage, DarkOwl CEO & Co-Founder
More than 80% of all the secrets caught by live monitoring GitHub are exposed through developers’ personal repositories, and a large share of them are, in fact, corporate secrets. Multiple hypotheses can explain why this happens. Of course, malicious behaviors cannot be discarded, including hijacking corporate resources and other shady motives. But the sheer scale of the phenomenon hints at something else: most of this happens because error is human and misconfiguring Git is easy.
“If a colleague in security said to me that secrets detection is not a priority, I would say that's a mistake. Most of the big security problems come from either social engineering attacks or credential stuffing. So, it's really important to know that your engineers and your employees are going to leak secrets. That's life. Most of the time, it's due to mistakes. But if it happens, we need to act on it. The more engineers there are, the more there is potential for leaks to happen.” Theo Cusnir - Application Security Engineer at PayFit
Like many other security challenges, poor secrets hygiene involves the usual trifecta of people, processes, and tools. Organizations serious about taming secrets sprawl must work simultaneously on all these fronts.
"Our mission is to secure code and the SDLC. We want to do it with a transparent, simple and pragmatic approach starting first with one of the most important issue in appsec: secrets in code". Eric Fourrier CEO
*Secret: In software development, secrets generally refer to digital authentication credentials that grant access to systems or data. These are most commonly API keys, usernames, passwords, or security certificates.
GitGuardian is the leader in automated secrets detection. The company has raised a $56M total investment from Eurazeo, Sapphire, Balderton, and notable tech entrepreneurs like Scott Chacon, co-founder of GitHub, and Solomon Hykes, co-founder of Docker.
GitGuardian Internal Monitoring helps organizations detect and fix vulnerabilities in source code at every step of the software development lifecycle. With GitGuardian’s policy engine, security teams can monitor and enforce rules across their VCS, DevOps tools, and infrastructure-as-code configurations.
Widely adopted by developer communities, GitGuardian is used by over 300 thousand developers and is the #1 app in the security category on the GitHub Marketplace. GitGuardian is also trusted by leading companies, including Instacart, Snowflake, Orange, Iress, Mirantis, Maven Wave, Payfit, and Bouygues Telecom.
GitGuardian brings security and development teams together with automated remediation playbooks and collaboration features to resolve incidents quickly and thoroughly. Organizations can achieve higher incident closing rates and shorter fix times by pulling developers closer to the remediation process.
Secrets detection engine
GitGuardian’s secrets detection engine has been analyzing billions of commits in production since 2017. From day one we began to train and benchmark our algorithms against open-source code. It allowed GitGuardian to build a language-agnostic secrets detection engine, integrating new secrets or new ways of declaring secrets really fast while keeping a really low number of false positives. We have developed the vastest library of specific detectors to detect more than 350 different types of secrets. Learn more about the inner workings and performance benchmarking of our detection engine in our blog.