We live in the era of cyberattacks. From Microsoft to Crypto.com, no company is completely immune to attackers, and it seems like major new cyberattacks are being announced weekly, if not more often. As more companies not only go digital, but also expand their digital offerings and initiatives, cyberattacks have more opportunity. Security teams in IT organizations work hard to keep their company out of the headlines. However, as the tech world moves towards everything as a service (IaaS, PaaS, SaaS, etc.), the transition to everything as code is happening in parallel. As a result, many developers unknowingly store sensitive data (secrets, passwords, certificates, keys, etc.) in Git source code repositories. This information is often released to production, which puts sensitive information at greater risk of disclosure.
The good news is that there is a way to securely lock secrets in source code. Let’s take a look at the complexity and realities of source code protection today and how to take the guesswork out of finding code at risk that could put your company on the front page tomorrow.
Managing secrets is difficult and expensive
Sophisticated cyberattacks will stop at nothing to compromise valuable data assets. Leaking secrets from source code makes it easy for attackers to access applications using the same credentials that are intended for legitimate purposes.
In a continuous software development environment, developers must move quickly to create applications. However, security teams that are expected to prevent breaches are often not well versed in all aspects of the Software Development Life Cycle (SDLC). This becomes a problem as the number of lines of code (and the secrets they contain) grows along with the number of applications developed. According to a recent 1Password report, “two in three (65%) of IT and DevOps employees believe their company has more than 500 secrets.” And according to the same report, “The average cost of leaking a secret is $1.2 million. Poor secret management can result in organizations losing $8.5 billion annually.” Secrets are vital to the creation of any related application or process. If hardcoded or left unprotected in source code, the proverbial keys to the kingdom can be exposed, just like your loyal customers.
Clearly, source code security should be a priority for security teams and DevSecOps. Let’s see how they can achieve this without sacrificing developer productivity.
How to Reduce Threats with Secret Management Best Practices
Manually searching for vulnerable secrets in source code repositories can be next to impossible. However, there are several recommendations that will help you detect vulnerabilities in a timely and frequent manner:
● Define and remove secrets in code: You cannot protect what you cannot see. It is important to have an understanding of the source code in order to be able to see where vulnerabilities may exist. There are several ways to shed light on vulnerabilities. One of them is to manually scan the source code, but this takes valuable time that developers could spend on more innovative tasks. There are also some open source solutions that can help with scanning the source repositories, but as with all open source, this means developers will have to maintain it (keep up to date, integrate, etc.). Instead, security teams should consider finding a single toolkit platform to help identify and fix vulnerabilities in source code.
● Notification and fix in code repositories: Provide a developer or DevOps engineer with quick feedback before releasing code to production. The fix should happen at commit time. The idea here is to block the transfer of secrets to your source code repositories in the first place.
● Use the secret management tool: Don’t store secrets or binaries in source code – nothing but code should be in your source code repositories. Move the secrets to a secret manager (for example, HashiCorp vault), a key and certificate manager (for example, Azure Key Vault), etc. Modulate and isolate these managers, but make sure they still interact with each other so as not to expose secrets.
As the number of cyberattacks continues to increase, it is imperative that security teams carefully examine the source code to make sure it is securely blocked. Theoretically, it is recommended to keep secrets completely outside the source code, but in practice this is difficult to ensure. Following the guidelines above will help reduce the risk of exposing sensitive data and reduce the risk of losing loyal customers and dollars in revenue.