Rising Threat of Secrets Sprawl: Key Findings from GitGuardian and CyberArk Research
Recent research by GitGuardian and CyberArk highlights a concerning trend in the cybersecurity landscape, with 79% of IT decision-makers reporting experiences with secrets leaks—an increase from 75% the year prior. The data is alarming, revealing that over 12.7 million hardcoded credentials are exposed in public GitHub repositories, marking the highest levels ever recorded. More troubling is that more than 90% of valid secrets found lingered for over five days before being addressed.
The average time taken to remediate leaked credentials stands at 27 days, according to the same report. This delay, coupled with the fact that non-human identities (NHIs) outnumber human identities by at least 45:1, underscores the urgency for organizations to manage this escalating machine identity crisis. Unfortunately, many teams remain unclear about who is responsible for securing these identities, creating an environment ripe for risk.
The difficulty in rotating credentials stems largely from unclear permission settings, which dictate what actions entities—like Kubernetes workloads or microservices—can perform. Effective remediation of secrets sprawl necessitates the careful replacement of secrets without disrupting services or inadvertently broadening permissions, which can introduce further vulnerabilities. Organizations without full visibility into their non-human identities may find this task time-consuming and complex, particularly if the original developers are unavailable to assist.
GitGuardian’s analysis identifies that secrets sprawl encompasses a wide variety of sensitive credentials distributed across development environments, repositories, and platforms like Slack or Jira. A significant portion of the responsibility for remediation, roughly 65%, is believed to rest on IT security teams. Simultaneously, 44% of IT leaders report that developers often fail to adhere to best practices in secrets management, highlighting a critical gap in control and accountability.
Developers face immense pressure to deliver features rapidly, which often leads to the hasty granting of overly broad permissions. The underlying bureaucracy of permissions management proves time-consuming, diverting attention from development tasks. Access configurations for services like AWS and GitHub can be intricate, frequently requiring developers to learn complex systems. Consequently, many end up granting unnecessary permissions, resulting in a mere 2% actual usage for the permissions allocated.
Security teams can’t rectify these issues alone, as they lack the granular project and context-level insights necessary for effective secrets management. The fragmentary nature of access controls across different teams can exacerbate these vulnerabilities, leaving outdated credentials active for extended durations and complicating the identification of legitimate versus fraudulent access.
To combat these challenges, a shared responsibility model between developers and security teams is essential. This approach would see developers taking an active role in managing permissions while utilizing appropriate tools like CyberArk’s Conjur Secrets Manager or Vault by HashiCorp. Such collaboration can streamline the documentation necessary for project management, which in turn would facilitate quicker audits and remediation of leaked credentials.
Ultimately, fostering this joint effort not only promotes security but also enhances productivity, ensuring that security protocols do not inhibit development timelines. Businesses need to be proactive, adopting robust secrets management strategies and clear lines of responsibility, to mitigate risks associated with secrets sprawl. The stakes are high, and addressing these vulnerabilities is critical in safeguarding organizational data assets and maintaining trust in operational capabilities.
As businesses navigate this complex landscape, GitGuardian is actively developing advanced tooling to manage secrets security effectively. This first step can help organizations understand their exposure to plaintext, long-lived credentials and take measures to eradicate potential threats. Maintaining vigilance in this area is paramount to ensuring a safer cybersecurity posture.
