June 27, 2024 at 05:52AM
Aqua Security’s research reveals a significant number of “phantom” secrets persist within Git-based Source Code Management systems, posing security risks for top organizations. These include leaked secrets granting access to cloud environments, internal infrastructure, API tokens, and network devices of major companies. Aqua emphasizes the challenges in accurately detecting and removing these exposed secrets.
The meeting notes highlighted the significant issue of exposed secrets in source code management systems, specifically Git-based SCMs, as revealed in Aqua Security’s research. The research found that even after being deleted or overwritten, secrets such as passwords, tokens, and passkeys can remain accessible, leading to potential security breaches. Aqua’s investigation of over 50,000 repositories belonging to top organizations on GitHub revealed that conventional scanning methods may miss roughly 18% of exposed secrets, posing serious security risks.
The research also unveiled specific examples of exposed secrets, including API tokens in public repositories, such as a Mozilla repository containing an API token for FuzzManager, potentially compromising Firefox and Tor browsers. Additionally, Meraki API tokens of Fortune 500 companies and an Azure service principal token belonging to a large healthcare organization were found exposed, allowing access to critical resources.
Aqua emphasized the complexity of the issue, citing the diverse nature of scanning tools, the varying accuracy levels, and the impact of SCM platform limitations on scanners’ effectiveness. The discovered blind spots in secrets scanning tools and the potential methods for attackers to extract secrets from removed repositories further underscored the severity of the issue.
Finally, Aqua recommended the immediate rotation of compromised secrets and emphasized the importance of not hardcoding secrets into code, advocating for ongoing monitoring and the removal of secrets from public repositories. The findings reinforce the imperative for secure engineering practices throughout the software development life cycle.
If you need further details or specific action items from these meeting notes, please let me know.