November 18, 2024 at 09:00AM
Research by GitGuardian and CyberArk reveals a rise in secrets leaks among IT decision-makers, with over 12.7 million hardcoded credentials exposed on GitHub. Organizations face lengthy remediation times and unclear ownership of security responsibilities. A shared responsibility model between developers and security teams could enhance credential management and reduce risks.
### Meeting Takeaways
1. **Current State of Secrets Leakage**:
– 79% of IT decision-makers reported experiencing a secrets leak, increasing from 75% the previous year.
– Over 12.7 million hardcoded credentials are found in public GitHub repositories.
– More than 90% of valid secrets remained valid for over 5 days after being reported.
2. **Remediation Challenges**:
– Organizations take an average of 27 days to remediate leaked credentials.
– Non-human identities (NHIs) drastically outnumber human identities (45:1), complicating management of secrets and permissions.
3. **Reasons for Slow Credential Rotation**:
– Lack of clarity on how credentials are permissioned.
– Replacement of secrets must be done carefully to avoid introducing new security risks.
– Insight into the lifecycle of NHIs and their associated secrets is crucial for effective management.
4. **Ownership of Secrets Management**:
– 65% of respondents believe IT security teams should handle remediation, but 44% of IT leaders report developers are not following best practices.
– There is a need for a shared responsibility model to address secrets sprawl and over-permissioned credentials.
5. **Developer’s Struggles**:
– Developers are under pressure to deliver quickly, often resulting in overly broad permissions due to complex permission management.
– Instances of unused permissions are prevalent, with reports indicating only 2% of granted permissions are actively utilized.
6. **Challenges for Security Teams**:
– Security teams often lack the project-level context needed for effective secrets management.
– Dispersed nature of secrets management increases risk and complicates access control consistency.
7. **Proposed Shared Responsibility Model**:
– Encourage collaboration where developers manage permissions with proper tools and documentation.
– Security teams should facilitate automation of secret rotations and support observability into the state of those secrets.
8. **Key Questions for Effective Permissions Management**:
– Who created the credential?
– What resources does it access?
– What permissions does it grant?
– How do we revoke or rotate it?
– Is the credential active?
9. **Conclusion**:
– Collaboration between developers and security teams is essential to improve secrets management, reduce remediation times, and enhance overall security practices.
– GitGuardian is developing tools to tackle secrets sprawl and improve visibility into credential risks.
### Next Steps
– Encourage teams to adopt the shared responsibility model and increase communication regarding permission management.
– Review current tools and practices in secrets management and identify areas for improvement.
– Consider implementing GitGuardianās tools to enhance visibility and management of sensitive credentials.