Application Security Posture Management (ASPM) 
eXtended SBOM (XBOM) 
API Security Testing 
Software Supply Chain Security (SSCS) 
Open Source Security (SCA) 
Secrets Security 
Infrastructure as Code (IaC) Security 
Careers 
Partners 
News 
Customers 
Resources 
Blog 
Cookies Notice
This site uses cookies to deliver services and to analyze traffic.
Go back
Apiiro’s Research Reveals That More Than 50 Percent of Secrets in Private Repositories Are Immediately Accessible by Attackers
TEL AVIV and NEW YORK – June 2, 2022 – Apiiro, the leader in Cloud-Native Application Security, today announced the findings of its “Secrets Insights Across the Software Supply Chain” report. Apiiro’s security research team, together with 15 industry experts, collaborated to deliver the industry’s first contextual secrets research in private repositories revealing the critical business impact of secrets in code.
In the era of agile and cloud-native application development, software engineers and DevOps are more empowered than ever before. They can quickly set up cloud infrastructure and deploy code whereas before they needed the help and approval of other departments.
This means that risks are distributed across design, code, open-source packages, secrets, Infra-as-Code, Source Control, CI/CD servers, and cloud infrastructure which makes the remediation lifecycle longer and more complex.
One of the most common risks and the source of some high-profile cloud-native application attacks is the use of secrets in code across the software supply chain.
Apiiro’s security research team, supported by a group of industry leaders and experts in the field, conducted an analysis of 25,000+ repositories ranging from small to large organizations, including 1,900,000+ commits and 820,000+ pull requests across the software supply chain. Of the 45,000+ secrets detected, they uncovered key insights that include:
- Eight times the number of exposed secrets in private repositories than public repositories
- 50.67% of all secrets in private repositories are exposed secrets that are immediately accessible by an attacker
- Out of all secrets, 38.15% are in repositories with PII
- 42.55% of all exposed secrets are plain text passwords
- 34.34% of secrets are inserted in the first quarter of the year
- 79% of secrets are found in JSON and YAML files
Additional findings include:
- The Mean Time to Remediation (MTTR) is 90 days, indicating secrets are lurking in the source code repositories for months before removal and are leaving potentially sensitive data exposed
- On average, 9.6% of developers who insert secrets account for more than half of secrets found across an entire organization
“The first ever contextual analysis of organizations’ internal repositories reveals the true magnitude of secrets in code,” said Moshe Zioni, Vice President of Security Research at Apiiro. “Our research team found eight times the amount of secrets in internal-facing repositories than previously reported on public repositories, a critical statistic for security teams looking to prevent a severe breach that can cause serious damage to an organization.”
Apiiro would like to thank all industry experts listed in this report for their contribution.
To read the full report, visit https://apiiro.com/secrets-insights-2022
About Apiiro
Apiiro helps security and development teams proactively fix risks across the software supply chain – before releasing to the cloud. Backed by Greylock and Kleiner Perkins. www.apiiro.com.
Contact:
Amy McDowell
Offleash PR for Apiiro
apiiro@offleashpr.com