Spotlight: How Secrets Sprawl Undermines Software Supply Chain Security

In this Spotlight edition of the podcast, we’re joined by Mackenzie Jackson, the Developer Advocate at the firm GitGuardian. Mackenzie and I discuss the problem of so-called “secrets sprawl” – the migration of all manner of sensitive information, from credentials to private keys -into public source code repositories on sites like GitHub.

As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and Spotify. Or, check us out on Google PodcastsStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted. 

[MP3]


Given enough eyeballs, all bugs are shallow.” That is “Linus’s Law.” First formulated by Eric Raymond in his 1999 book “The Cathedral and the Bazaar,” and named after Linus Torvalds, the creator of Linux. It speaks to a hidden value of open source code: with an unbounded population of developers given access to source code, security and quality issues will quickly bubble up and be discovered, improving security rather than undermining it. 

Mackenzie Jackson is a Developer Advocate at GitGuardian

All Secrets Are Shallow, Too!

Two decades later, open source culture is now firmly entrenched, open source code and libraries are part and parcel of nearly every software development project, and massive, online repositories like GitHub put code at the fingertips of a population of millions of developers and billions of Internet users.

In that new milieu, something like a corollary to Linus’s Law has emerged: given enough eyeballs, all secrets are shallow, too. 

In other words: having thousands of developers crawling over your source code may expose hidden flaws in your application code. (Though there is ample reason to doubt that happens.) But it may also reveal secrets you weren’t aware were buried in your code, or that you hoped nobody would notice. 

Credentials: Gone in 60 Seconds

In fact, secret sprawl, as it is known, is a growing security risk for organizations of all types. Credentials leaked in source code were behind a massive security incident at the ride hailing firm Uber. And malicious actors are known to be on the hunt for API keys, SSH credentials and other sensitive secrets buried in source code. Experiments by researchers using “honey pot” credentials suggest that the window between a secret being published to a public source code repository on GitHub and those credentials falling into the hands of malicious actors may be measured in minutes, rather than hours, days or weeks. 

The likelihood of that happening is also growing, as developers use common platforms like GItHub to manage both personal and professional development projects, increasing the likelihood of cross contamination and security lapses.  And, once published, powerful commit history features on platforms like GitHub make it hard for development organizations to erase their mistake.

What companies need are tools to help them identify leaked credentials and other secrets before they get pushed to source code repositories. To talk about the dangers posed by secret sprawl, we invited Mackenzie Jackson into the studio. Mackenzie is a developer advocate at the firm GitGuardian, which makes technology to help detect and block secret sprawl via platforms like GitHub. 

Check out our full conversation above, or click on the button below to download the MP3.


(*) Disclosure: This post was sponsored by GitGuardian. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.