Top 10 Most Common Software Supply Chain Risk Factors
Imagine a world where a single line of code, tucked away in a common library or framework, could bring your entire digital world to a screeching
The Beginner’s Guide to Preventing Data Breaches in Your Code
Quick announcement: with SpectralOps you can prevent data breaches by protecting your code from hard coded secrets and misconfigurations.
You know how it goes: Every website, app, or service you sign up for in your private and professional life asks you to create a password and/or provide another identification method. It can be a lot to keep track of.
It should come as no surprise, then, that there’s noticeable growth in the adoption and use of free or paid personal password manager services, from 12% of US internet users using a password manager in 2017 to 23% earlier this year, based on survey results.
For example, one such service, LastPass, recently reached 25 million active users and reported survey results demonstrated that 23% of business employees worldwide use a password manager app on their smartphones.
However, personal password and account management aside, how do we, as developers or security experts and in the context of our professional responsibilities, protect the secrets our organization relies on during the development process?
What is a secret?
Secrets are digital credentials that support both human-to-application and application-to-application access permission. There are several different types of secrets used in application-to-application access permission. Some examples are passwords, certificates, encryption keys, API keys, and SSH keys.
Below, we focus on the application-to-application secret management use case.
SSH key:
GitHub key:
RSA private key:
What is secret management?
Secret management is a set of processes and best practices that comprise a mechanism to protect an organization’s digital assets from unauthenticated and unauthorized access. Secret management solutions provide a wide and deep range of use cases. The main capabilities of the security management mechanism are:
- Secret lifecycle management
Secrets have their own lifecycle, which includes:- Creation – Based on best practices and organizational policies, done manually or programmatically.
- Rotation – Popular requirement of security standards and regulations.
- Revocation – After a security incident, the tech vendor changes, the secrets are changed, etc.
- Safe storage of secrets
This is a major part of secret management. See the next section for an overview of some of the systems that use secrets in today’s tech landscape. (To read more about the secret lifecycle and storage, see here.) - Access tracking and logging
An important part of secret management involves keeping track of which secrets are used, when, and by which system in order to handle security incidents if and when they arise; most security standards also require this type of tracking to ensure compliance and accountability. (Read more here.) - Implementation of security practices such as least-privilege access
and role-based access control (See here for a deep dive.)
- Enforcement of organization-specific security and data compliance guidelines (See an example of a related standard here.)
How to protect your code from data leaks that originate in secret leaks?
In a nutshell, it all comes down to software fatigue. Nine years after Marc Andreessen’s famous “Software is Eating the World” article in the Wall Street Journal, it is a given that the world is driven by code.
Today’s R&D organizations need to select and increasingly implement state of the art solutions to remain competitive and serve their customers well. Each new tech or tool added to the organization’s development, testing, and production environment needs to be secured—hence the secret proliferation phenomenon.
the 7 factors driving secret proliferation
Secrets are everywhere: They’re used in every technology, are part of every step of SDLC, and support powerful automation processes.
Let’s take a deeper look at a few secret-proliferation drivers:
1. Cloud-native based development
Cloud-native applications use many different kinds of services, such as computing (E2C, etc.), analytics (), database (MongoDB, memSQL, etc.), logging (ElasticSearch, Loki), and more. Secrets to such services need to be well managed to protect the organization’s (and its customers’/users’) data.
2. Multi-cloud infrastructure
Each public cloud provider is different and good at addressing different aspects of business needs. Many businesses use multiple services, such as Amazon Web Services, Microsoft Azure, Google Cloud, and IBM Cloud, each of which contributes to secret profilieation.
3. DevOps
The DevOps movement helps teams to develop, test, and deploy software in a much faster phase. To support that agility, they employ a wide range of services throughout the entire software development lifecycle, including vendors such as Jenkins, GitLab, Terraform, and more. The need to secure DevOps environments resulted in the creation of the DevSecOps field, where secret management is a very important pillar.
4. Microservices architecture
The use of microservices is the most popular way to build and manage services. Since each microservice is decoupled from other services being used, each might use a different provider, thus creating more secrets that need to be managed.
5. The shift from user identity to machine identity
In the past, human interaction was the main mechanism for accessing an organization’s data. Modern software services have shifted to machine (and a lot of them, at that) identity as the key to connecting to machines, either inside the organization or between an organization and its customers (such as a service to record sales conversations that needs access to its customers’ calendars).
6. AI, ML, and data analytics
Incrasingly, organizations use ML based services, such as TensorFlow and Apache Spark, for example. Either as part of the organization’s product or the heart of the business value proposition, these types of services are experiencing exponential growth . This creates an additional data pipeline that needs to be protected, hence more secrets.
7. IoT/Embedded devices
Many services in different industries (e.g., agriculture, manufacturing, distribution, and more) use IoT and embedded systems, and this trend will increase with 5G network adoption. New networks – additional endpoints that need to be securely connected (using vendors such as ThingWorx and Ignition), using certifications and encryptions, which also need to be managed properly.
The human aspect
On top of software fatigue driven by changes in technology, the ways in which people (within organizations) work have changed as well. Not only are there more secrets that need to be protected, but there are also more channels and places in which those secrets are likely to be communicated and stored outside of code development, testing, and production environments. Here are a few examples:
- Communication: For both one-to-one and group collaboration, the popularity of messaging platforms (such as Slack and Microsoft Teams, Zoom, Discord) among startups and large enterprises alike has changed how employees communicate, introducing even more digital channels where secrets can be exposed.
- Devices: The mass adoption of smartphones (and tablets) as devices used not just for personal use, but also work and professional needs has increased the number of devices on which secrets are stored.
- Remote work: The work-from-everywhere movement has boosted productivity, but has, at the same time, increased the exposure of secrets to networks that are not controlled by the organization.
What is secret sprawl?
Secret Management Technologies
We’ve discussed secret management and the main technology drivers for secret proliferation. Now, let’s take a look at a few secret management technologies, both commercial and open source. A deeper overview of few and a more complete list can be found here:
https://stackshare.io/secrets-management
Commercial tools can be divided into two categories:
- Offerings from the leading cloud infrastructure providers, such as those from Amazon, Azure, Docker, and Google
- Specific secret management solutions, which are focused, decoupled from the environment and tech agnostic, such as https://www.envkey.com/, https://www.vaultproject.io/, https://www.torus.sh/
On the open source side, there are a few projects built by technology companies like Lyft, Pinterest and Square, and probably many others that aren’t publicly available. There are also open-source utilities built by companies in the field, as well as individual developers, such as https://github.com/fugue/credstas and https://github.com/codahale/sneaker.
When it comes to selecting technologies for secret management, ultimately it comes down to your organization’s needs and budget, the tools and technologies you use, and the team’s familiarity with secret management and availability/bandwidth to implement and keep such technologies and practices up to date.
https://docs.github.com/en/free-pro-team@latest/developers/apps/authenticating-with-github-apps
http://phpseclib.sourceforge.net/rsa/examples.html
Related articles
ISO/IEC 27001 Compliance Self-Assessment: The Ultimate ISO 27001 Requirements Checklist
For organizations looking to reassure customers that excellent data governance is one of their guiding principles, and that they’re doing everything in their power to mitigate
How to Perform a Comprehensive Network Vulnerability Assessment
Despite growing awareness and prioritization of cybersecurity, close to 22,000 vulnerabilities were published in 2021 alone. This concerning number proves that awareness and a willingness to