Cloud Native Ecosystem / DevOps / Security

Apiiro Finds Private Code Repos More Hackable Than Public

9 Jun 2022 11:32am, by

No, that’s not a mistake. Apiiro, a cloud native application security company found that there are eight times the number of exposed secrets in private repositories than in public repositories. People, people, private does not mean secure. Never has, never will.

Underlining this fundamental truth that security by obscurity is no security at all, Apiiro’s security research team and outside experts discovered that just over half, 50.67%, of all secrets in private repositories are exposed secrets that are immediately accessible by an attacker. Worse still, for every 1,000 repositories with secrets, seven are exposed to anyone on the Internet


Finding Secrets

Of all the ways for your software supply chain to be hacked, exposed secrets must be one of the most embarrassing. I mean we all know that we shouldn’t put secrets such as passwords, API keys, and tokens in our code? Right? Right!?

Well, I guess not! Apiiro’s security research team and friends’ analysis of 25,000+ repositories ranging from small to large organizations, including 1,900,000+ commits and 820,000+ pull requests across the software supply chain found naked secrets were among the most common risks. On average, they found 3.28 secrets in each repository. When they focused on repositories with secrets, they discovered 29.64 secrets per repository on average.

That’s way too many. Of those 42.55% of all exposed secrets were — surprise! — plain text passwords. Most secrets, 79%, were hiding in plain sight in JSON and YAML files.

So, where do these come from? It turns out a small minority of developers, 6% are responsible for all the misplaced secrets. And, of those, a mere 0.57% of developers account for over half, 56.6%, of all secrets. In short, there are a tiny number of programmers who need security remediation training.

Get Some Help

Or, just as important since even smart developers can sometimes make dumb mistakes, use programs and services such as Portainer, Doppler, and Amazon CodeGuru Reviewer to find and manage secrets for you.

You must get on top of this problem. It’s bigger than we thought. As Moshe Zioni, Apiiro’s VP of Security Research, said, “The first-ever contextual analysis of organizations’ internal repositories reveals the true magnitude of secrets in code.”

Left unaddressed, Apiiro found the Mean Time to Remediation (MTTR) was 90 days. That’s much too long. These secrets lurking in source code repositories for months are bombs waiting to go off. You don’t want that. Nobody wants that.

You can read all about this and more in Apiiro’s Secrets Insights Across the Software Supply Chain report.

Featured image by Luke Chesser on Unsplash.