Secrets: Control Exposures, Manage Risks

Spectra Assure adds new capabilities to detect and prioritize exposed secrets in your CI/CD pipeline to minimize your software supply chain risks

Secrets Detection Fails to Manage Supply Chain Risk

Modern software and development relies on secrets (access keys, API tokens and confidential information) to function properly. With hundreds of independently developed components (open source, third-party and proprietary) making up an application, it’s no surprise that secrets detection is overwhelming application development and security teams with false positives and other results that are not actionable.

As software supply chain breaches using compromised credentials increase, so too does the need to improve how risks are assessed for efficient and effective remediation. The challenge is that actionable controls require both detection and intelligence to provide additional context for risk-based prioritization to effectively reduce secrets leakage and manage supply chain risk.

With our new capabilities, ReversingLabs is giving developers and application security teams something that other offerings don’t: broader visibility into software supply chain risks and data-driven prioritization to automatically suppress third-party secrets and other false positive results.
remediate-secrets

Understand Which Secrets To Remediate

Scanners that detect hundreds or thousands of secrets in software create an enormous amount of triage work to weed out third-party secrets and other false positives that are not actionable by their developers and DevOps teams. 

The only way to save countless hours of triage and/or unnecessary remediation is to use additional context gained from previously exposed secrets to determine if a detected secret requires remediation and adjust its prioritization.

See-Secrets-That-Others-Miss-1

See Secrets That Others Miss

There are several ways secrets in software can remain undetected by code scanning at the Commit or Pull Request. Software binaries containing secrets can be added without declaration on build manifests. Sensitive information unique to your organization  (e.g., proprietary code, debug files, intellectual property) can be hidden in files, archives and other artifacts during release packaging.

Whether it is a 1MB software library or a 10GB software container, analyzing binaries with customized detection rules provides a more comprehensive view of secrets leaked by:
• Build or packaging mistakes
• Shortcuts taken 
• Compromised accounts or malicious insiders

Manage-Secrets-Leakage-With-Actionable-Controls

Manage Secrets Leakage With Actionable Controls

Integrating customizable blocking policies into code testing, build pipelines and packaging workflows gives you controls to:
• Block high-risk, hard-coded secrets, internal passwords, and private keys before they reach production or customer environments
• Leak canary secrets useful to security teams for intrusion detection

Secrets Detection & Prioritization With ReversingLabs

Actionable controls for managing software supply chain risks by keeping secrets in software secret

comprehensive-detection

Comprehensive Detection

Integrate automated discovery of 250+ secret types (API keys, encryption keys, tokens, passwords etc.) to prevent future supply chain attacks

deep-binary-analysis

Deep Binary Analysis

Find secrets anywhere in builds, releases, containers – your code, open source, 3rd party, commercial and other files (installers, scripts, documentation, images, file archives etc.)

contextual-prioritization

Contextual Prioritization

Identify and suppress commonly found false positives with our unique file intelligence, so you focus on remediating actual risks

secret-exposure-detection-1

Secret Exposure Detection

Know when secrets were exposed in public domain, and determine if immediate rotation is required to lower risks

canary-token-management

Canary Token Management

Suppress alerts about secrets intentionally leaked to aid CI/CD  intrusion detection and fail builds if canary tokens are absent

custom-detection-policies

Custom Detection Policies

Define secrets specific to your organization to avoid leaking intellectual property (e.g. proprietary source code, debug files, unique data strings, etc.)