Introducing New Secrets Management Capabilities For Mitigating Software Supply Chain Risk

Businesses are vulnerable to software supply chain breaches when software releases leak secrets such as authentication credentials, hardcoded passwords, API tokens, and encryption keys. Look no further than the CircleCI, Toyota and CodeCov incidents.

Behind the scenes, attackers are automating secrets detection to find credentials and attack software development tech stacks and delivery pipelines. Once compromised, software supply chains leave software providers and their customers exposed to further attacks including the placement of malware, the theft of sensitive data, and the loss of intellectual property. Development secrets - critical for today’s complex software to function - are challenging to manage across every software component and within every stage of software development.

That's why we are unveiling first-in-kind features within the ReversingLabs Software Supply Chain Security (SSCS) platform to improve:

• Secrets detection and exposure coverage
• Prioritization and suppression needed to reduce manual triage
• Security controls for preventing leakage
  

With our new capabilities, ReversingLabs is giving developers and application security teams something that other offerings don’t: broader visibility into software supply chain risks and data-driven prioritization to automatically suppress third party secrets and other false positive results that are not actionable by developers.

See Deminar: How to keep your secrets SECRETSpecial Report: Secrets ExposedExplore ReversingLabs' secrets capabilities

Broader visibility into software supply chain risks

Our binary analysis and enhanced support of 250+ types of credentials extends visibility beyond code analysis, into entire software packages and containers before release or deployment. This delivers a comprehensive view of whether secrets will be exposed because of:

• Build or packaging mistakes
• Shortcuts that increase risk
• Sensitive information added by compromised accounts or malicious insiders

This broader secrets detection scope is important as breach research from Verizon and IBM show the increasing use of compromised credentials during multiple phases of an attack. However, the bulk of our new capabilities are focused on solving the reason why detection alone hasn’t prevented leakage or use of exposed secrets in software supply chain attacks: noisy results.

Contextual prioritization tunes out the noise

Secrets scanning solutions will always detect a lot of secrets. As software has become larger (ReversingLabs has scanned 10GB software containers) and more complex -- with open source, third party and commercial components -- the number of detected secrets will only increase.

The problem is many detected secrets are not actionable by developers, for example:

• Commonly distributed keys for testing online services or APIs – not really secrets
• Placeholder values for network credentials (e.g. schema://user:pass@domain.tld) – not really a secret
• Canary secrets included to aid intrusion detection by SOC teams – developers must not remove
• Exposures in third party or commercial components – vendor risk management problem
  
  ...and many other reasons that reported secrets can be considered false positives.
  
  Reporting hundreds of detected secrets creates a ton of triage work just to weed out the false positives before getting down to the actual work of prioritizing, remediating and managing the secrets. So it’s no surprise that developers push back or, worse, just bypass the majority of warnings to meet pressing release deadlines – leaving the risk unaddressed.
  
  More effective secrets management is only achievable when additional context can be automatically applied to determine if a detected secret is worth the remediation effort. Figure 1 shows how adding a little context to a security control can dramatically reduce the number of high priority and high risk secrets we report to developers. It’s exciting because this reduction is just the beginning!

Figure 1: Detection + Contextual Prioritization = More Effective Secrets Management

Content powered by actual data

To support this contextual prioritization, we need to know what- and when exposed secrets entered into the public domain. We have this visibility because of ReversingLabs huge repository of threat intelligence from scans of billions of files. This repository, the largest known private commercial storehouse of malware and goodware, has been gathered continuously for over 10 years and curated by our threat research experts to ensure it's kept up-to-date with the latest information.

Figure 2: How ReversingLabs Threat Intelligence Repository Is Curated

A quick lookup in our proprietary repository can tell us if and when leaky secrets discovered while analyzing software are a match to secrets already publicly available in:

• Open source packages
• Malware samples
• Third party libraries
• Commercial applications
• Other scanned files

This is exactly the context needed to save countless hours of triage and/or unnecessary remediation with accurate, automated suppression of commonly shared secrets used for testing open source components that have been public for years.

Our data can also indicate when the level of risk has increased, for example, discovering that proprietary credentials rotated a month ago entered our repository a few days ago. In other words, secrets you’re working hard to protect have been found “in the wild”, where any malicious actor can find and use them. Leveraging that data you can take action to minimize risk of a software supply chain breach with “just-in-time” secrets management, i.e. by immediately rotating that secret with your secrets management solution.

Manage secrets in software to manage business risk

Maintaining the status quo isn't likely to get you different results. That's why innovation is so valuable. Expecting software supply chain breaches to stop happening without innovating tools and process that streamline how secrets in software are found, prioritized and managed is not realistic.

With ReversingLabs, development and application security teams can take the toil out of identifying, prioritizing and remediating secrets in software that create software supply chain risks for their organizations.