The State of Secrets Sprawl report 2024 is now live!

5
DOWNLOAD
Secrets detection for Application Security
Glossary
>
Secrets detection for Application Security
>
Secrets detection best practices
ON THIS TOPIC

Table of content

Secrets detection in the SDLC
Secrets detection using git-hooks
Secrets detection best practices
← BACK TO LEARNING CENTER

Secrets detection best practices

Where in the DevOps pipeline to implement automated secrets scanning? Client-side or server-side?

The earlier a security vulnerability is uncovered, the less costly it is to correct. Hardcoded secrets are no exceptions. If the secret is uncovered after the secret reaches centralized version control server-side, it must be considered compromised, which requires rotating (revoking and redistributing) the exposed credential. This operation can be complex and typically involves multiple stakeholders.

Client-side secrets detection early in the software development process is a nice-to-have as it will prevent secrets entering the VCS earlier.

Server-side secrets detection is a must have:

  • Server-side is where the ultimate threat lies. From the server, the code can uncontrollably spread in a lot of different places, with the hardcoded secrets in it.
  • Implementing client-side hooks on an organization level is hard. This is something we have heard many application security professionals claim they are not confident to do, due to the difficulty to deploy and update this on every developer’s workstation.
  • Client-side hooks can and must be easy to bypass (remember secret detection is probabilistic). Usage of client side hooks largely comes down to the individual developers’ responsibility. Hence the need to have visibility over the later stages.

---

Should secrets detection be blocking or non-blocking in the SDLC?

From our experience, when trying to impose rules that are too constraining, people will bend them, often in an effort to collaborate better and do their job. Security must not be a blocker. It should allow flexibility and enable information to flow, yet enable visibility and control.

On one hand, security measures will be bypassed, sometimes for the worst. But on the other hand, it is also good sometimes that the developer can take the responsibility to bypass pre-commit hooks.

Because even the best algorithms can fail and need human judgement. Secrets detection is probabilistic: algorithms achieve a tradeoff between not raising false alerts and not missing keys.

Download the full Report!

Download the report to gain valuable insights into how companies with the strongest security postures successfully tackle this challenge.

Download the Report

GitGuardian is the code security platform for the DevOps generation.

With automated secrets detection and remediation, our platform enables Dev, Sec, and Ops to advance together towards the Secure Software Development Lifecycle.

Subscribe to our newsletter to receive the latest content and updates from GitGuardian.

By submitting this form, I agree to GitGuardian’s Privacy Policy

Thank you! Your subscription has been registered!
Oops! Something went wrong while submitting the form.

© %copyright-year% GitGuardian. All Rights Reserved.

Term & ConditionsPrivacy PolicyPublic Security PolicyCookies