Secret Leaks: The Predominant Issue in Software Supply Chain Security

In today's rapidly evolving digital landscape, software supply chain security has emerged as a critical concern for organizations worldwide. Among the countless security threats, ‘secret leaks’ stand out as a predominant issue, posing significant risks to the integrity and confidentiality of software systems. This blog post delves into the intricacies of secret leaks, exploring why they are a pervasive problem and what steps can be taken to mitigate this threat.

What is a Secret Leak?

Secret leaks refer to the unintended exposure of sensitive information, such as API keys, passwords, encryption keys and other credentials, within the software supply chain. These secrets are often embedded in code repositories, configuration files and development environments. When exposed, they can be exploited by malicious actors to gain unauthorized access to systems, steal data and cause widespread damage.

There are several factors that contribute to the proliferation of secret leaks. Human error is a significant contributor, as developers may inadvertently commit secrets to version control systems like GitHub or GitLab during the software development process due to oversight, lack of awareness or inadequate training on secure coding practices. Complex development environments also play a role; modern software development involves numerous third-party libraries, frameworks and tools, making it challenging to manage secrets across these components and leading to accidental exposure. Additionally, many organizations lack robust security controls to detect and prevent secret leaks, including inadequate access controls, poor encryption practices and a lack of automated scanning tools to identify exposed secrets. Finally, rapid deployment cycles create pressure to quickly deploy new features and updates, often resulting in shortcuts and lapses in security practices. In such environments, secrets may be hardcoded into applications or improperly managed, increasing the risk of leaks.

Supply chain attacks that leverage leaked or stolen secrets, environment variables, and other sensitive data are often the first step toward larger, targeted attacks. The length of time between when secrets are exposed and when they are discovered by affected organizations can figure heavily into the severity of a security incident.

A few interesting examples of this could include:

• Artificial intelligence (AI) supply chain security

The rapid deployment of ML models to integrate AI capabilities has opened a significant new frontier of supply chain security risks. ML models contain many features that can be exploited by malicious actors to gain a powerful foothold in your infrastructure. Malicious behaviors can be planted in the code that is bundled with models such as transformers or agents or in the model training itself. These types of supply chain risks are especially difficult to handle because of the rapid pace of AI development, and immaturity of model validation and risk management procedures. This exploit demonstrates the capability of an open-source ML agent to extract sensitive information from a conversation and surreptitiously send it to a malicious actor.

• Kubernetes secrets in configuration files on GitHub

Leaking secrets onto GitHub or other public repositories has become so common that specific tooling has been developed to detect and prevent leaks (Gitleaks, TruffleHog, and Trivy). The use of these tools is now considered best practice. A recent Kubernetes attack exploited a gap in the tooling to discover many leaked secrets for production services. The gap is caused by the way Kubernetes stores secrets in base64 encoded YAML files. The tools failed to inspect or detect base64 encoded secrets which allowed leaks of docercfg and dockerconfigjson secrets. These secrets grant access to the container registry. If such leaked secrets are combined with over-scoped permissions, a malicious actor can control the container registry, which could compromise an organization's entire container supply chain.

The Significance of Secret Leaks

The ramifications of secret leaks can be severe, encompassing data breaches, financial losses, reputational damage and regulatory penalties. Leaked secrets, such as API keys, credentials or cryptographic keys, increase vulnerabilities by providing entry points for attackers who can exploit these to gain unauthorized access to systems or data. Attackers may also inject malicious code into software repositories using leaked secrets, compromising the integrity of the entire supply chain and leading to backdoors or data breaches. Financial losses from secret leak incidents can be substantial, including costs related to remediation, legal fees and potential fines. Additionally, organizations that suffer from secret leaks may experience reputational damage, losing trust and credibility among customers, partners and stakeholders. Compromised secrets can also jeopardize infrastructure, allowing attackers to infiltrate cloud services, databases and other critical components, thus threatening the availability, confidentiality and integrity of the software. Furthermore, if secrets are leaked within a third-party component, it can disrupt the entire supply chain, rendering dependencies unreliable and impacting software delivery and stability. Delayed incident discovery exacerbates the situation, as the longer it takes to detect secret leaks, the more time attackers will have to exploit them, increasing the severity of the impact.

How to Mitigate Secret Leaks

Addressing the issue of secret leaks necessitates a comprehensive strategy that integrates best practices, advanced tooling and a robust organizational culture. Key strategies to mitigate the risk of secret leaks include selecting an appropriate secret management tool, such as HashiCorp Vault, AWS Secrets Manager or Azure Key Vault, which provides secure storage and access controls to minimize exposure risks. Automating secret scanning within the development pipeline through tools like GitGuardian, Trufflehog, gitLeaks, HawkScan, and AWS Git Secrets Scanner, ensures continuous monitoring of code repositories and real-time alerts for developers. Additionally, promoting secure coding practices by educating developers on the importance of avoiding hardcoding secrets into source code and using securely managed environment variables or configuration files is essential. Enforcing strict access controls through role-based access control (RBAC) limits secret access to authorized personnel only. Regularly rotating secrets further reduces the risk of exposure in case of a breach, ensuring that even if a secret is compromised, its utility is short-lived.

In conclusion, secret leaks pose a substantial threat to software supply chain security, with the potential to inflict severe damage on organizations. By comprehending the root causes of these leaks and implementing robust security measures, organizations can effectively mitigate their risk and safeguard their sensitive information. As the digital landscape continues to evolve, maintaining vigilance and a proactive approach to addressing secret leaks will be essential in preserving the integrity and security of the software supply chain.

Learn more about Kroll’s Software Supply Chain Security Services.