CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

What is secret sprawl, why it’s dangerous, and how developers can prevent it?

Secret sprawl is the unwanted spread or distribution of sensitive data through multiple systems and services. This video, GitGuardians developer advocate looks at why secret sprawl is dangerous and how developers or organizations can prevent it. For more information check out this Blog from GitGuardian https://blog.gitguardian.com/secret-sprawl/

Video Transcript

when we're talking about secrets pearl what we're gonna be referring to is the unwanted distribution of secrets across multiple platforms now a secret can be defined as anything we don't want someone else to have access to but generally in development terms a secret is something that provides access to an external service now this might be a database a payment system a messaging system and they are generally things like API keys security certificates or credentials now to understand how we use Secrets it's important to know how we build applications now versus to past it used to be true that applications and software was self sufficient nowadays we're much more reliant on the Internet and this is good because it means that we can create something called micro services and these micro services allow us to offload a lot of the tasks that aren't related to the core product or service that we're building now these micro services like before are things like payment systems database management data management systems really anything that can perform other really specific tasks but there's a new challenge that comes now because we now need to identify ourselves with each and every single one of these micro services and depending on the size of the application there can be tens hundreds of these services and that means tens and hundreds of individual secrets that we need to keep track of and use to access these micro services so now we know what a secret is we can take a quick look at how secret scroll across the internet developers need access to secrets throughout their daily workflows and a challenge becomes how to distribute and share these secrets among developers without creating a data breach secrets can easily accidentally end up in git repositories they can be cloned onto personal and professional machines secrets can end up being shared via email other messaging systems like slack they can even be saved in Excel files and uploaded into Google Drive so it's easy to see that with a large number of developers over time secrets can really scroll into all areas of your office systems now you may think to yourself that all these systems are secure therefore there's not too much of a risk but the problem is is that the more systems that secrets are spread across it increases what we call the attackable area having a large attackable area really just means that you have your secrets spread across a large number of systems this means that a new Furious actor or an attacker can access your secrets by penetrating multiple different services often attackers can use these secrets to move laterally between systems and uncover even more sensitive or secretive information and data so how do you prevent secret sprawl well unfortunately no organization big or small is immune to secret scroll but there are tools and systems that you can put in place to reduce the risk tools like get secret which encrypt secrets so that you can store them on git repositories can be used products Akashi coke vault can be used to provide greater access management so that you know who has access to your secrets and can revoke them easily but it's really important to make sure you have visibility over all of your office systems this is where gate gaurdian can help we have the world's most advanced secrets detection algorithm and we can use this to scan your public and private repositories of both your organization and your developers and we can also use our API to scan things like your slack accounts or your emails and this allows you to know when you do have secrets for all and it allows you to gain visibility over what secrets have been compromised so that you can revoke them and move forward