September 29 2023 | 4 min read
Product | September 29 2023 | 4 min read
Protecting business-critical secrets is more important than ever. In the first half of this year, compromised credentials—such as API keys, authentication tokens, encryption keys, and passwords—were the root cause of 50% of security incidents.
But managing secrets at the scale of modern development is also more complex than ever. Developers need easy access to credentials to build, connect, test, and deploy applications. With agile release cycles, distributed development environments, and multiple tools and systems to manage, it’s easy to see how secrets might slip into places they shouldn’t.
Unfortunately, detecting hard-coded secrets is notoriously challenging due to the volume of noisy false positives that distract from actionable risk. Effective and efficient secrets security requires going beyond detection with a contextual, full-lifecycle approach.
To streamline your secrets security, we’ve released a handful of powerful new features:
These new features, in addition to our existing native secrets security solution that leverages deep code-based context and advanced detection algorithms, and in combination with our robust application security posture management (ASPM) capabilities, have the power to supercharge your secrets security efforts.
More often than not, occurrences of the same secret proliferate across various components of an application. This not only makes it difficult for teams to deduplicate alerts but also makes it challenging to ensure changes are being made consistently across every instance of the secret. Plus, if a secret is used for a variety of different use cases, it’s important to be able to understand how a change to this secret could impact other areas of the business.
Apiiro now also groups occurrences of the same secret across your application components, repositories, and even different source control managers (SCMs), making it easier to:
Additionally, teams can exclude a certain secret or series of secrets from a scan, effectively creating an allowlist so that the secret is not marked as risky but is still available in the inventory for review. This saves teams time and ensures accuracy and coverage across their codebase.
A valid secret is an active key that can unlock privileged access to systems and data and, if compromised, has the potential to cause significant harm by granting unauthorized access to sensitive information. Distinguishing valid secrets from invalid or revoked secrets helps reduce distracting false positives to narrow in on real risk.
Now, in Apiiro, when a secret is detected, the platform checks it against the platform’s APIs to determine if it’s valid or invalid, allowing Apiiro customers to:
This insight, alongside other contextual factors, like whether a secret is exposed via an external gateway or a public repository or if the code exposes sensitive data, can be used to determine the unique level of risk this secret poses to the organization.
Detecting valid secrets is just the first step of keeping your secrets secret, but addressing secrets isn’t always trivial or straightforward. Regardless of how you go about securely managing your secrets, changing or invalidating the exposed secret is a best practice to mitigate risks associated with compromised or leaked credentials.
In an ideal world, other development and operations teams would know that these changes are happening. However, in reality, when a secret is revoked, there’s usually very limited visibility into the process, which can create problems when other development, test, QA, and production processes rely on those credentials. Additionally, application security teams need to be able to track revoked secrets to understand the status of a secret and, in some cases, maintain records of revoked secrets for compliance.
In addition to determining whether a secret is valid or invalid, Apiiro now also checks for whether a secret has been revoked, allowing customers to:
Tracking the full lifecycle of an exposed secret makes it easier for developers to work in sync with design, QA, operations, and security teams and ensure changes don’t hinder release velocity.
By evaluating the context of a secret, like whether it’s valid, in test code, exposed to the internet, in a public repository, related to sensitive data, or is in a high business impact (HBI) application, and identifying the specific platform/system affiliations (e.g., AWS or OpenAI), Apiiro goes beyond just detecting secrets in code.
With this contextual approach, teams can tie exposed secrets to code owners so that teams can flag routine offenders, not to blame or shame, but to educate them about secure coding methods and provide a path for them to improve proactively. This insight also empowers teams to build workflows to set up alerts and notifications or create guardrails to enforce best practices at the organizational level.
Our new Secrets Dashboard shows overall insights into risks and how they impact your security posture, with tiles tracking metrics like total open secret risks, discovered vs. closed secret risks, top secrets risks, HBI repositories with critical secrets risks, valid secrets based on platform, and MTTR (mean time to remediation) for exposed secrets.
With more accurate detection, risk-based prioritization, and guided remediation, Apiiro’s contextual, multidimensional approach to secrets security delivers rich insights needed to paint the full picture of risk and severity to continuously prevent exposed secrets.
To see how we help keep your secrets safe—at the pace of modern application development—schedule a demo with our team, or check out our Secrets Insight Report for details on secrets in code trends and how to prevent secrets exposure.