Skip to main content
banner image
venafi logo

Leaked Development Secrets Threaten the Security of Apps and Data

Leaked Development Secrets Threaten the Security of Apps and Data

April 5, 2021 | Anastasios Arampatzis

According to a recent report by GitGuardian, every single day more than 5,000 development secrets - private keys, database connection strings, certificates, and passwords – are leaked in GitHub repositories threatening the security of applications and sensitive data.

Git repositories are skyrocketing

GitHub is the place for software developers to showcase their work and contribute to millions of projects that form the building blocks modern software development is built upon. GitHub has named this universe as “octoverse” and according to a recent report, this amazing “octoverse” gathers more than 50 million developers working on their personal or professional projects.

Development activity on GitHub has skyrocketed during 2020, with the number of repositories increasing by 35% and the average active user contributing 25% more to open source projects, according to the GitHub "State of the Octoverse" report.

"Open source is the connective tissue for much of the information economy," states GitHub. "You would be hard-pressed to find a scenario where your data does not pass through at least one open source component. Many of the services and technology we all rely on, from banking to healthcare, also rely on open source software."

“Secrets sprawl” is a real threat

With such a vast resource of data publicly available, there is also a huge number of sensitive data that is unknowingly or accidentally pushed to the platform. This data is secrets like API keys, credentials, and other digital authentication strings. The threat is that these secrets can be used by attackers to gain access to infrastructure, systems and PII. A public repository is the worst place for a secret to end up because code is so widely distributed through GitHub and git keeps a complete record of a repository's history.

The problem is much worse than many may anticipate. According to the “State of Secrets Sprawl on GitHub” report by GitGuardian, more than 5,000 passwords, private keys, and other development "secrets" are leaked every day when programmers push code to online repositories — a year-over-year increase of 20%. Leaked secrets make the software and the developer's infrastructure more susceptible to attacks.

"Cybersecurity is largely about human mistakes," says Jeremy Thomas, CEO of GitGuardian. "This is still a rare event that we are preventing but a serious one, and developers have to assume that they are going to make mistakes."

In addition, GitGuardian highlights that developers often use the same account for personal and corporate developments. 85% of leaked secrets occur in the developers’ personal repositories, while 15% affected the public repositories owned by businesses.

"Secrets present in all these repositories can be either personal or corporate and this is where the risk lies for organizations as some of their corporate secrets are exposed publicly through their current or former developers’ personal repositories," states the GitGuardian report.

The most common types of secrets leaked in public repositories include Google keys, which accounted for 28% of leaked secrets, development tools at 16%, and databases and data storage keys at 15%. Leaked secrets were discovered in a wide array of file extensions, which can be grouped into three main categories:

  • Programming languages: Python, JavaScript, PHP, TypeScript
  • Data serialization files: JSON, XML, YAML, .properties
  • Forbidden or sensitive files: .env, .pem
Reasons for leaked secrets

Besides using the same account for accessing personal and corporate repositories, the report indicates that secrets are leaked mostly because of unintentional, not malevolent, mistakes, including:

  • Git misconfiguration and pushing wrong data.
  • Forgetting that the entire git history is still publicly visible even if sensitive data has since been deleted from the actual version of source code.

A common mistake made by many software developers is that they keep keys and passwords for various resources in an insecure location to make it easier to change the code. However, doing so often results in the information mistakenly being published. Cybercriminals and nation-state actors often scan GitHub and other repositories to find mistakenly leaked information.

"Keeping secrets encrypted and tightly wrapped makes it harder for developers to both access and distribute them," GitGuardian states in the report. "This can lead developers to choose the path of least resistance when handling them which may include hardcoding them into source code, distributing them through email or messaging systems like Slack, saving them directly into config files and storing them inside internal wikis."

What can be done?

With the expansion of git repositories and the complexity of open source software supply chains, it is become quite difficult to totally avoid the risks of secrets exposure. However, there are certain best practices that businesses can follow to limit the risk of secrets exposure or the impact of a leaked credential:

  • Never store unencrypted secrets in .git repositories.
  • Don’t share your secrets unencrypted in messaging systems like Slack.
  • Store secrets safely.
  • Restrict API access and permissions.

Venafi’s CodeSign Protect secures your code signing private keys, automates approval workflows, and maintains an irrefutable record of all code signing activities. Reach out to Venafi’s experts to learn how you can secure your software development lifecycle.


Related Posts

Like this blog? We think you will love this.
Featured Blog

Applying Identity to DevSecOps Processes

Identity Means Secrets

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more