Supply chain security has been a big topic of conversation over the past few years, and while many conversations have revolved around insecure third-party components in codebases, there is another part of the supply chain that could have a negative impact if not properly secured: secrets.
Max Power, the flagship product for Bitwarden The secret manager said that from a development perspective, secrets include things like API keys, certificates, and SSH keys.
“Any chain is only as strong as its weakest link,” Power said. “The same applies to organizations. In the past, we’ve seen multiple examples of massive data breaches as a result of accidentally leaked secrets, especially secrets that were either hard-coded or pushed into Git repos.”
According to GitGuardian 2024 State of Secrets Proliferation Report, 12.7 million secrets were disclosed in GitHub’s public commits in 2023, a 28% year-over-year increase. Over the past four years, the leak problem has quadrupled, with only 3 million leaks revealed in 2020.
Power says that when it comes to security, it’s important for everyone to take responsibility for the code base, from development to production to deployment, and ensure that secrets aren’t hard-coded.
According to Brian Vallelunga, founder and CEO of Secrets Management Doppler, there are many ways developers share and store secrets, and some are better than others. The least secure method is to store them in files on your computer. Unfortunately, Bitwarden’s Power says this is one of the most common ways to store secrets.
A step beyond that are people who store secrets in their cloud provider’s tools or build their own tools, Vallelunga explained. Developers might store secrets in a built-in AWS tool, for example, but that becomes difficult because it means all your secrets are tied together in one tool. And then there are companies that build their own internal tools for this purpose, but eventually start running into scalability issues, he said.
The most secure method would be to use a dedicated secret management service provider designed for this specific purpose. Vallelunga explained that some of the additional benefits of using these tools are that they facilitate sharing between teams and also offer things like access control, auditing and automated synchronization.
To put this into a real-life example, let’s say you’re integrating with a service like Stripe, which requires you to have an API key that’s needed throughout the development lifecycle, explained Nic Manoogian, engineering manager at Doppler.
“So local developers, if I’m going to integrate with this new service, I need a test environment to try these things out,” he said.
He said secrets tend to be more secure in production environments for companies with mature security practices, but less so in local development environments. “Maybe your company has a really mature process for managing secrets in these higher-end environments and these deployments, but in local development environments, it’s like, well, I don’t know, call your manager and ask for an .env file, or we’ll just check it in the code .And that comes with a whole bunch of other problems,” Manoogian said.
Vallelunga believes that to successfully implement good secret management practices, teams should put as many safeguards in place as possible and allow it to work with their workflows to make things as easy as possible for developers.
When developers feel they have to start using shortcuts to get things done faster, that’s when security incidents happen, he explained.
Vallelunga believes that as organizations begin to grow and mature, they tend to take a closer look at risk and thus address their secrets management issues.
“I think companies go two ways, the first way is to build something that’s valuable,” he said. “And once they get to that point, it’s to protect a thing that’s valuable as it grows. And when they get into that protection mode, they start looking at all areas of risk. And when you’re looking at the keys to your digital kingdom, that’s probably one of the biggest areas of risk you can have. And that’s when companies really start thinking about it.”