GitGuardian gives 'voice' to AppSec on hard-coded secrets
Not a cyber security alert story per se, application security company GitGuardian has detailed its “Voice of Practitioners 2024” report with a note to highlight the current state of application security (AppSec), particularly focusing on secrets management and code robustness.
Conducted in partnership with CyberArk, this study suggests that “secrets leaks” are on the rise with many firms having experienced or been aware of secrets leaking within their organisation.
Consequently, investment in secrets management (i.e. secrets detection and remediation tools) may be increasing.
GitGuardian thinks that organisations are moving towards mature strategies and that firms have implemented at least a partially mature strategy to prevent secret leaks.
Confidence in secrets security remains high: 75% of have respondents expressed moderate to high confidence in their organisation’s ability to detect and prevent hardcoded secrets in source code.
The average time to remediate a leaked secret stands at 27 days. However, GitGuardian’s data suggests that implementing secrets detection and remediation solutions can significantly reduce this time to approximately 13 days within a year.
Hard-coded secrets
There are concerns regarding AI and supply chain risks are growing: 43% of respondents concerned about the potential for increased leaks in codebases highlighted the risk of AI learning and reproducing patterns that include sensitive information.
Additionally, 32% identified the use of hard-coded secrets as a key risk point within their software supply chain.
“The findings of our 2024 report underscore the escalating threat of secrets leaks and the need for robust, automated solutions to mitigate these risks,” said Eric Fourrier, GitGuardian CEO. “While the increasing investment in secrets management is encouraging, organisations must prioritise implementing comprehensive strategies that encompass early detection, rapid remediation, and a strong focus on developer education and best practices. It is crucial for businesses to proactively address these concerns and strengthen their security posture to safeguard their sensitive data and maintain their competitive edge.”
Kurt Sand, general manager for machine identity security at CyberArk backs up Fourrier’s comments and says that it is encouraging that security leaders increasingly recognise the importance of securing machine identities and eliminating hardcoded secrets.
As the appetite for AI continues to drive the increase in machine identities, enterprises may now require automated machine identity security approaches that scale.
