Managing various encryption keys and other secrets has always been painful for enterprise security managers. A new service from GitGuardian called Has My Secret Leaked attempts to bring some clarity in a market that is typically overlooked by many corporate application developers.
Ignorance brings peril, as can be most recently seen with Microsoft’s Storm-0558 breach from earlier this year. During that breach, which was attributed to Chinese hackers, one of its cryptographic keys was used to compromise a Microsoft employee’s account to steal data.
Last year, more than eight major breaches involved compromised secrets, including Samsung Electronics leaking secrets in March, Okta leaking GitHub repositories in December and Toyota’s leak in October.
These keys are found in numerous places in modern software, including application programming interface tokens, cloud services access credentials, general encryption keys and so forth. They have “a bad habit of getting exposed anywhere and everywhere – from code repositories to job logs and Atlassian Jira tickets and in assets you don’t own – such as personal GitHub projects of your developers,” GitGuardian’s Ziad Ghalleb wrote in a blog post explaining their new service. The company has a long history of uncovering secret keys: It finds more than 27,000 secrets daily by scanning various app repositories in GitHub alone.
The new service on leaked secrets is simple to use: A copy of the secret is pasted into a query box and the system will reveal whether it has been seen in any dark web or other public context. What is different about the service is that it’s specifically looking for these secrets, which seems like an obvious feature but hasn’t been packaged in this way previously.
Think of Have I Been Pwned, the service that Troy Hunt runs, which searches for exposed account passwords, as an analog. The new secrets service allows five free tries before a user needs to set up an account.
The free accounts, which need to be authenticated to a valid email address, allow for 30 daily credits, with paid accounts offering more frequent queries. There are also business accounts that allow 1,000 daily credits ,which can be shared across at most 25 developers. That was done to block malicious anonymous usage.
What many developers do is the lazy approach by hard-coding them in their files, which makes their code easier to compromise. There are plenty of services that can better protect corporate secrets, what usually is called key management services. All of the major cloud providers all have their offerings, but typically these are only intended to manage their own cloud services.
There are also a number of companies that offer more comprehensive products, including AKeyLess, Virtru Corp.’s Private Keystore, Hashi Corp.’s Vault and Thales SA’s CipherTrust Secrets Management. GitGuardian also has a more comprehensive secrets management service which competes with these other vendors.
These products incorporate a variety of protective measures – think of a password manager as an analog – so developers don’t have to remember the secret keys or remember to change them periodically — always good security practice — or ensure that they are unique. Given that these keys are long strings of symbols and random characters, they can’t easily be remembered.
Your vote of support is important to us and it helps us keep the content FREE.
One-click below supports our mission to provide free, deep and relevant content.
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.