GUEST ESSAY: Why CISOs absolutely must take authentication secrets much more seriously

By Thomas Segura

The IT world relies on digital authentication credentials, such as API keys, certificates, and tokens, to securely connect applications, services, and infrastructures.

Related: The coming of agile cryptography

These secrets work similarly to passwords, allowing systems to interact with one another. However, unlike passwords intended for a single user, secrets must be distributed.

For most security leaders today, this is a real challenge. While there are secret management and distribution solutions for the development cycle, these are no silver bullets.

Managing this sensitive information while avoiding pitfalls has become extremely difficult due to the growing number of services in recent years. According to BetterCloud, the average number of software as a service (SaaS) applications used by organizations worldwide has increased 14x between 2015 and 2021. The way applications are built also evolved considerably and makes much more use of external functional blocks, for which secrets are the glue.

Poor practices

In the field, people often copy and paste secrets into configuration files, scripts, source code, or private messages without considering the consequences. Source code repositories are cloned and take with them hard-coded credentials, resulting in an explosion of “secrets sprawl.”

To understand the magnitude of the problem, each year, GitGuardian publishes the number of secrets that have been mistakenly published on GitHub, the world’s first code-sharing platform. Thus, in 2021, more than 6 million secrets have leaked between the lines of code of developers, that is to say, more than 16,000 per day on average!

The projects hosted by the platform are mostly personal projects or open-source repos. Still, it is important to understand that these errors slip in easily and are difficult to identify and resolve. Even the most experienced developers can inadvertently publish this extremely sensitive information, giving access to the resources of the companies they work for.

Security specialists try to warn against the problem. Still, today the priority of boards of directors is to deliver value to customers faster than the competition, which means accelerating the development process. Combining flexibility and security is the source of all compromises, including when it comes to managing secrets.

It can be difficult to know where to start. That’s why we created a framework to help security managers evaluate their current posture and take steps to strengthen their enterprise secrets management practices.

Mitigating errors

You can start right away here with a straightforward (and confidential) questionnaire. The linked white paper explains the three stages of this process:

•Assessing secrets leakage risks

•Establishing modern secrets management workflows

•Creating a roadmap to improvement in fragile area

This model emphasizes that secrets management is more than just how an organization stores and shares secrets. It is a program that must coordinate people, tools, and processes, and also account for human error. Errors cannot be prevented, but their effects can be. That is why detection, remediation tools and policies, and secrets storage and distribution, are the foundations of our maturity model.


If you are wondering why secrets in code should be a priority among so many other vulnerabilities, just look at the recent security incidents of 2022: several major companies experienced the fragility of secrets management.

In September, an intruder accessed Uber’s internal network and found hardcoded admin credentials on a network drive. These secrets enabled the attacker to log in to Uber’s privileged access management platform, where many more plaintext credentials were stored. This gave the attacker access to Uber’s admin accounts in AWS, GCP, Google Drive, Slack, SentinelOne, HackerOne, and more.

In August, LastPass suffered a similar attack. Someone stole its source code which exposed development credentials and keys. Later in December, LastPass revealed that an attacker had used the stolen source code to access and decrypt customer data.

In fact, source code leaks caused major issues for many organizations in 2022. NVIDIA, Samsung, Microsoft, Dropbox, Okta, and Slack were among those affected. In May, we warned about the large number of credentials that could be harvested from these codebases: with these credentials, attackers can gain leverage and move into dependent systems in what is known as supply chain attacks.

In January 2023, CircleCI was breached. Hundreds of the continuous integration provider’s customers’  variables, tokens, and keys were compromised. CircleCI urged its customers to change their passwords, SSH keys, and any other secrets stored on or managed by the platform. Victims had to find out where these secrets were and how they were being used to take emergency action. This highlighted the need for an emergency plan.

Taking secrets seriously

Attacks have become more sophisticated, with attackers recognizing that compromising machine or human identities yields a higher return on investment. This is a warning sign of the need to address hardcoded credentials and secrets management.

Cybersecurity teams are taking hard-coded secrets in source code seriously. Companies understand that source code is now one of their most valuable assets and must be protected. A breach could result in business continuity issues, reputation damage, and legal proceedings.

The increasing prevalence of code and services means that software- and code-related risks will not dissipate any time soon. Hackers now target software practitioners’ credentials to gain access to IT infrastructure.

To combat these challenges, organizations must have visibility into vulnerabilities at all levels. This requires going beyond traditional practices and involving developers, security engineers, and operations in detection, remediation, and prevention.

Organizations must be prepared for secrets sprawl and have the right tools and resources in place to detect and remediate any issues in a timely manner. It’s time to take action!

About the essayist: Thomas Segura’s passion for tech and open source led him to join GitGuardian as technical content writer. Having worked both as an analyst and as a software engineer consultant for major French companies, he now focuses on clarifying the transformative changes that cybersecurity and software are going through.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone