<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1076912843267184&amp;ev=PageView&amp;noscript=1">

Secrets: Control Exposures, Manage Risks Spectra Assure adds new capabilities to detect and prioritize exposed secrets in your CI/CD pipeline to minimize your software supply chain risks


Secrets Detection Fails to Manage Supply Chain Risk

Modern software and development relies on secrets (access keys, API tokens and confidential information) to function properly. With hundreds of independently developed components (open source, third-party and proprietary) making up an application, it’s no surprise that secrets detection is overwhelming application development and security teams with false positives and other results that are not actionable.

As software supply chain breaches using compromised credentials increase, so too does the need to improve how risks are assessed for efficient and effective remediation. The challenge is that actionable controls require both detection and intelligence to provide additional context for risk-based prioritization to effectively reduce secrets leakage and manage supply chain risk.

With our new capabilities, ReversingLabs is giving developers and application security teams something that other offerings don’t: broader visibility into software supply chain risks and data-driven prioritization to automatically suppress third-party secrets and other false positive results.


Understand Which Secrets To Remediate

Understand Which Secrets To Remediate

Scanners that detect hundreds or thousands of secrets in software create an enormous amount of triage work to weed out third-party secrets and other false positives that are not actionable by their developers and DevOps teams. 

The only way to save countless hours of triage and/or unnecessary remediation is to use additional context gained from previously exposed secrets to determine if a detected secret requires remediation and adjust its prioritization.

See Secrets That Others Miss

See Secrets That Others Miss

There are several ways secrets in software can remain undetected by code scanning at the Commit or Pull Request. Software binaries containing secrets can be added without declaration on build manifests. Sensitive information unique to your organization  (e.g., proprietary code, debug files, intellectual property) can be hidden in files, archives and other artifacts during release packaging.

Whether it is a 1MB software library or a 10GB software container, analyzing binaries with customized detection rules provides a more comprehensive view of secrets leaked by:
• Build or packaging mistakes
• Shortcuts taken 
• Compromised accounts or malicious insiders

Manage Secrets Leakage With Actionable Controls

Manage Secrets Leakage With Actionable Controls

Integrating customizable blocking policies into code testing, build pipelines and packaging workflows gives you controls to:
• Block high-risk, hard-coded secrets, internal passwords, and private keys before they reach production or customer environments
• Leak canary secrets useful to security teams for intrusion detection

Secrets Detection & Prioritization With ReversingLabs

Actionable controls for managing software supply chain risks by keeping secrets in software secret