Organizations leaked more than 6 million passwords, API keys, and other sensitive data — collectively known as development “secrets” — in 2021, doubling the number from the previous year, according to a new GitGuardian report published today. The report accounted for the fact that more code is being pushed to repositories and better detection capabilities are available.
On average, the company found that three out of every 1,000 commits to GitHub leaked a secret, a frequency 50% higher than 2020. More than half of the secrets consisted of credentials for accessing data storage services, cloud providers, a private encryption key, or a development tool, while another 10% consisted of credentials for messaging systems and version-control platforms.
Leaking sensitive access information to potential attackers undermines the security of corporate networks and infrastructure, says Mackenzie Jackson, a developer advocate at GitGuardian. The term “secret” refers to any digital authentication credentials that “grant access to services, systems, and data,” including API keys, application or service credentials, and security certificates, GitGuardian says.
“In almost all attacks, secrets are used in one way or another, perhaps not as initial access, but certainly to elevate attackers’ privileges and move into different systems,” Jackson says. “We were honestly surprised to see this drastic increase, but obviously it comes down to the increased amount of technology that developers are handling and other factors, such as remote work.”
The report follows some significant breaches in 2021 where secrets were leaked. A year ago, attackers exploited a vulnerability in the way code-checking firm CodeCov created Docker images, modifying an upload tool to also send credentials to the attackers, likely compromising the development processes of hundreds of companies. In another breach, attackers leaked the source code from game-streaming site Twitch, exposing more than 6,000 Git repositories and 3 million documents, and leaking more than 6,600 development secrets that could have been used for further breaches.
Leaked Secrets an Overwhelming Problem
Overall, a typical company with 400 developers scanning its repositories discovered 1,050 unique secrets left behind in developers’ code, according to GitGuardian report. The company stresses that finding and remediating leaked secrets is beyond the capabilities of the AppSec professionals tasked with keeping development projects secure. On average, each application-engineer at a company has to deal with more than 3,400 leaked secrets, Jackson says.
“It is really an impossible task — they are totally overwhelmed by the problem,” he says. “To solve this, we have to introduce some shared responsibility to developers, we need to empower developers with tools, and we need to have education.”
GitGuardian expanded its analysis this year to public Docker images and organizations’ private repositories. In addition, the company has more than 350 different patterns for detecting secrets, up from the 250 detectors used in 2020. Many developers pay less attention to secret management for private repositories, believing that even if exposed, the secrets would not be made public. However, code tends to spread across an organization, Jackson says.
“The reality is that code today, it will go into your private repository, then it will be cloned on all your developer machines — maybe their personal and professional machines — and then be shared across messaging systems,” he says. “So it is easy to lose track of every place the code goes.”
Leaks in private repositories accounted for the vast majority of incidents, according to the GitGuardian report, with 85% of leaked credentials to access the Azure cloud, for example, happening in private repositories.
Personal Projects Affect Enterprises
Another interesting finding from the report is that developers tend to leak the most secrets on the weekends and public holidays, suggesting that they are less careful — or have fewer security checks—on their personal projects.
However, those leaks still put companies’ security at risk, Jackson says.
“GitHub is quite unique in the sense that if you have an account on GitHub.com, and if your organization is using GitHub, then you can use the same account for both, creating a weird confusion between what is work and what is personal development,” he says. “So there is a lot of crossover in what we are seeing — corporate keys being leaked in personal git repositories.”
Companies should involve developers more closely with application security and create a shared responsibility model, GitGuardian states in the report. Involving a developer results in closing 72% more incidents and remediating twice as fast than when AppSec professionals have to go at it alone.
“By integrating vulnerability scanning into the development workflow, security isn’t a bottleneck anymore — you can help developers catch vulnerabilities at the earliest stage and considerably limit remediation costs,” the report states. “This is even more true for secrets detection, which is very sensitive to sprawling.”
