TNS
VOXPOP
Will real-time data processing replace batch processing?
At Confluent's user conference, Kafka co-creator Jay Kreps argued that stream processing would eventually supplant traditional methods of batch processing altogether.
Absolutely: Businesses operate in real-time and are looking to move their IT systems to real-time capabilities.
0%
Eventually: Enterprises will adopt technology slowly, so batch processing will be around for several more years.
0%
No way: Stream processing is a niche, and there will always be cases where batch processing is the only option.
0%
Cloud Native Ecosystem / DevOps / Security

Apiiro Finds Private Code Repos More Hackable Than Public

Apiiro, a cloud native application security company found that there are eight times the number of exposed secrets in private repositories than in public repositories.
Jun 9th, 2022 11:32am by
Featued image for: Apiiro Finds Private Code Repos More Hackable Than Public
Featured image by Luke Chesser on Unsplash.

No, that’s not a mistake. Apiiro, a cloud native application security company found that there are eight times the number of exposed secrets in private repositories than in public repositories. People, people, private does not mean secure. Never has, never will.

Underlining this fundamental truth that security by obscurity is no security at all, Apiiro’s security research team and outside experts discovered that just over half, 50.67%, of all secrets in private repositories are exposed secrets that are immediately accessible by an attacker. Worse still, for every 1,000 repositories with secrets, seven are exposed to anyone on the Internet

Yack!

Finding Secrets

Of all the ways for your software supply chain to be hacked, exposed secrets must be one of the most embarrassing. I mean we all know that we shouldn’t put secrets such as passwords, API keys, and tokens in our code? Right? Right!?

Well, I guess not! Apiiro’s security research team and friends’ analysis of 25,000+ repositories ranging from small to large organizations, including 1,900,000+ commits and 820,000+ pull requests across the software supply chain found naked secrets were among the most common risks. On average, they found 3.28 secrets in each repository. When they focused on repositories with secrets, they discovered 29.64 secrets per repository on average.

That’s way too many. Of those 42.55% of all exposed secrets were — surprise! — plain text passwords. Most secrets, 79%, were hiding in plain sight in JSON and YAML files.

So, where do these come from? It turns out a small minority of developers, 6% are responsible for all the misplaced secrets. And, of those, a mere 0.57% of developers account for over half, 56.6%, of all secrets. In short, there are a tiny number of programmers who need security remediation training.

Get Some Help

Or, just as important since even smart developers can sometimes make dumb mistakes, use programs and services such as Portainer, Doppler, and Amazon CodeGuru Reviewer to find and manage secrets for you.

You must get on top of this problem. It’s bigger than we thought. As Moshe Zioni, Apiiro’s VP of Security Research, said, “The first-ever contextual analysis of organizations’ internal repositories reveals the true magnitude of secrets in code.”

Left unaddressed, Apiiro found the Mean Time to Remediation (MTTR) was 90 days. That’s much too long. These secrets lurking in source code repositories for months are bombs waiting to go off. You don’t want that. Nobody wants that.

You can read all about this and more in Apiiro’s Secrets Insights Across the Software Supply Chain report.

Group Created with Sketch.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.