In the software development life cycle (SDLC), 85% of leaking secrets come from developers sharing information on public personal accounts.
This goes to show just how important it is to have the proper training, procedures, and tools in place when it comes to combatting secret sprawl and leaks in your SDLC.
SecureWorld welcomed Mackenzie Jackson, a Developer Advocate for GitGuardian, to present the webinar, Is Your Software Development Life Cycle Protected Against Secret Sprawl?
When it comes to modern applications, every organization has multiple programs, systems, and software. Not to mention, there are many departments encountering each tool. This shift in technology sometimes creates a cluttered environment, especially in terms of preventing possible leaks or breaches. According to Jackson:
"Today, we leverage so much of these micro services and external services like SaaS and other tools, and developers have access to so much more sensitive information that they need to keep track of. API keys and credentials, the secrets and the code itself and why this is a bit of a problem is because code, as we know, is a leaky asset."
In this informative talk, Jackson addressed several key aspects for protecting against secret sprawl, including several ways to actively prevent it.
Here's a few ways you can help your organization by implementing these tools and procedures.
In order to secure your secrets, Jackson recommends using a KMS or vault to handle information that is highly sensitive.
GitHub has accounts for both confidential activities as well as public ones, making it easy to accidentally leak secrets. Jackson said:
"This makes it really easy to make a mistake and push code that's meant to be for a private repository belonging to your organization into a personal public one. It is almost never malicious that an employee will deliberately leak the AWS key into GitHub, but by accidentally pushing into the wrong places."
Make it trickier for information to leak by rotating log-in handles frequently.
Jackson noted sometimes he disagrees with other professionals on this matter, but he is adamant that this helps eliminate leaking secrets.
"If a secret does leak out, then it doesn't allow the attacker to move laterally through systems to elevate their privileges.”
As a developer advocate for GitGuardian, automated detection is a point Jackson feels particularly passionate about when it comes to defending against secret sprawl.
"We all know we cannot reduce the risk down to zero; this is a pipe dream. And while we should strive for it, of course, it's never going to be a reality. So, what we need to do is make sure that we're alerted when the keys of our kingdoms do accidentally leak out into these public places or even into our private repositories.
What we've talked about in Git, and the history and going through it in the code reviews, is that this is absolutely a job for an automated tool, not manual processes. It's too cumbersome on the developers; no one's going to want to go through 4,000 commits to make sure that there isn't a secret in there."
From the causes of secret sprawl in the software development process life cycle (SDLC) to mitigating the risk, there was much more to this conversation. If you missed the webinar, check out the session on-demand here.
Attendees of SecureWorld webinars earn CPE credits. Find more SecureWorld webinars on other topics here.