New ‘Secrets Insights Across the Software Supply Chain’ Report from Apiiro’s Security Research Team Together with 15 Industry Experts Shows Critical Impacts of Secrets in Code
Apiiro, the leader in Cloud-Native Application Security, today announced the findings of its ‘Secrets Insights Across the Software Supply Chain’ report. Apiiro’s security research team, together with 15 industry experts, collaborated to deliver the industry’s first contextual secrets research in private repositories revealing the critical business impact of secrets in code.
In the era of agile and cloud-native application development, software engineers and DevOps are more empowered than ever before. They can quickly set up cloud infrastructure and deploy code whereas before they needed the help and approval of other departments.
This means that risks are distributed across design, code, open-source packages, secrets, Infra-as-Code, Source Control, CI/CD servers, and cloud infrastructure which makes the remediation lifecycle longer and more complex.
One of the most common risks and the source of some high-profile cloud-native application attacks is the use of secrets in code across the software supply chain.
Apiiro’s security research team, supported by a group of industry leaders and experts in the field, conducted an analysis of 25,000+ repositories ranging from small to large organizations, including 1,900,000+ commits and 820,000+ pull requests across the software supply chain. Of the 45,000+ secrets detected, they uncovered key insights that include:
- Eight times the number of exposed secrets in private repositories than public repositories
- 50.67% of all secrets in private repositories are exposed secrets that are immediately accessible by an attacker
- Out of all secrets, 38.15% are in repositories with PII
- 42.55% of all exposed secrets are plain text passwords
- 34.34% of secrets are inserted in the first quarter of the year
- 79% of secrets are found in JSON and YAML files
Additional findings include:
- The Mean Time to Remediation (MTTR) is 90 days, indicating secrets are lurking in the source code repositories for months before removal and are leaving potentially sensitive data exposed
- On average, 9.6% of developers who insert secrets account for more than half of secrets found across an entire organization
“The first ever contextual analysis of organizations’ internal repositories reveals the true magnitude of secrets in code,” said Moshe Zioni, Vice President of Security Research at Apiiro. “Our research team found eight times the amount of secrets in internal-facing repositories than previously reported on public repositories, a critical statistic for security teams looking to prevent a severe breach that can cause serious damage to an organization.”
Apiiro would like to thank all industry experts listed in this report for their contribution.
To read the full report, visit http://apiiro.com/secrets-insights-2022