ReversingLabs has added new secret detection capabilities to its software supply chain security (SSCS) tool to help developers prioritize remediation with context-based data on secrets.
In a development environment, secrets refer to digital authentication credentials used in software components including login credentials, API tokens, and encryption keys.
“We are using our knowledge of exposed secrets in the billions of files we’ve previously analyzed to provide that context,” said Tomislav Pericin, co-founder and chief software architect, ReversingLabs. “For example, commonly shared secrets used for testing open-source components that have been public for years are not secrets – so why tell developers to fix them.”
Although essential for the proper functioning of a software, effectively handling secrets throughout all parts of the code, as well as during various stages such as the Software Development Life Cycle and Continuous Integration and Continuous Delivery (CI/CD), can sometimes be difficult and may lead to the inadvertent exposure of secrets.
In early 2021 CircleCI and CodeCov — two significant, cloud-based continuous integration and delivery platforms — experienced breaches that compromised user data, including environment variables and API tokens. The incidents highlighted the importance of exposed secrets and led to several organizations resetting their API tokens and taking other security measures to protect their applications and data.
Problem of false positives in secret detection
Existing secret detection tools are flooding developers with enormous amounts of false positives, causing them to bypass detections rather than triage and fix them, the company said.
The primary principle used with ReversingLabs’ secret detection system is that effective secrets analysis is only achievable when additional context can be automatically applied to determine if a detected secret is worth the remediation effort.
ReversingLabs SSCS tool claims to cover 250 secret types, including private keys, version control, certs, tokens, etc. After detection, the tool enables teams to promptly verify the discovered secrets as true positives, pinpoint their exact location, identify the affected services, and check if these secrets are also exposed or leaked elsewhere.
Prioritization helps reduce remediation fatigue
The solution focuses on prioritizing remediation efforts by suppressing commonly shared secrets such as third party, open source, and testing keys, thus reducing the burden of manual triage.
“The status quo with secrets is to detect a lot of items and hope someone has time to triage and remediate. That’s not sustainable when large software releases can contain thousands of secrets,” Pericin added. “Our solution is different because the focus of most of our new capabilities is on removing the noise from secrets detection with automated triage.”
In addition to contextual prioritization, ReversingLabs’ solution enforces “just in time” secrets management, canary token management, and custom detection policies. While “just in time” and “canary token” management effects a timely resolution to the detections, custom detection policies help achieve fine-grained control on the detection rules.
The solution also provides the historical context of a detected secret, outlining whether the secret has already been exposed, and if or when to underscore the level of risk associated with other non-actionable false positives.
The secret detection feature is already available on ReversingLabs’ SSCS tool through the command-line interface for no additional costs.
Copyright © 2023 IDG Communications, Inc.