Secrets such as API keys and credentials are sprawled over the git, detecting them inside code can be a challenge and it all begins with selecting the right tool

In modern software development, we rely on hundreds, sometimes thousands of different building blocks. The glue that connects all the different building blocks are collectively known as secrets. These are typically API keys, credentials, security certificates, and URIs. These are the modern-day master keys. They can provide access to cloud infrastructure, payment systems, internal messaging, and user information to name a few. Once an attacker has a secret, they can move laterally between systems to  uncover additional information and secrets , and because they are authenticated, they look and appear like valid users, making it extremely difficult to detect.

But even having established how sensitive these secrets are and why they should be tightly wrapped, this next statement may surprise you:

These secrets are sprawled all over the internet, sitting in code repositories in public view.

For the proprietor of the code, these secrets are difficult to identify, but malevolent actors out to find them have developed simple and effective tools to uncover secrets deeply buried and long forgotten in the git history.

There are plenty of articles, whitepapers, and blog posts on the importance of protecting secrets, for example,  Hashicorp and  GitGuardian have great resources on this topic. Instead, I want to focus on the different tools available for detecting secrets as well as their pros and cons. But of course, it is up to you, the reader, to decide which tools will be best to protect your secrets.

Three Options for Secrets Detection

When it comes to secrets detection, you can choose between 3 different approaches:

• Building a custom solution in house.
• Using open-source projects.
• Using commercial products.

Let’s run through a few examples.

#security #git #github #cyber security