Details
Secret leakage is a pervasive problem in software development. Secrets such as API keys, database credentials, and encryption keys are often accidentally exposed through various means, including version control systems, logs, and insecure storage.
Stay Informed
Video Explanation
Enhance Your Security Posture
Learn how to protect your non-human identities and strengthen your overall cybersecurity strategy.
Get StartedExample Scenario
Alice, a junior developer at FinTech Inc., is working on a new feature for their mobile banking app. In her excitement to share her progress, she pushes code to a public GitHub repository, unknowingly including AWS access keys in a configuration file. Within hours, the keys are discovered by an automated bot run by cryptojackers. They use the keys to spawn hundreds of EC2 instances for mining cryptocurrency, racking up tens of thousands of dollars in charges before the breach is detected. The incident leads to a security audit, revealing that this practice of hardcoding credentials was widespread across the organization.
Mitigation Strategies
- Use secret management tools to securely store and manage secrets
- Implement automated secret scanning in CI/CD pipelines
- Educate developers about the risks of hard-coding secrets
Best Practices
- Use environment variables or secure vaults to store secrets
- Implement git hooks to prevent committing secrets
- Use tools like GitGuardian or TruffleHog to scan repositories for secrets
References
Related Risks
Inadequate deactivation or removal of non-human identities when no longer needed....
Learn More about Improper OffboardingLearn more about Improper OffboardingNon-human identities are granted more permissions than necessary for their intended functions....
Learn More about Excessive PermissionsLearn more about Excessive PermissionsFailure to regularly update or rotate credentials for non-human identities....
Learn More about Inadequate RotationLearn more about Inadequate RotationNon-human identities communicate over insecure channels or without proper encryption....
Learn More about Insecure CommunicationLearn more about Insecure Communication