New Secrets Detection Capabilities Added to
ReversingLabs Software Supply Chain Security Platform
CAMBRIDGE, MASS., March 14, 2023 - ReversingLabs, the leader in software supply chain security, today unveiled new secrets detection features within its Software Supply Chain Security (SSCS) platform. ReversingLabs is the first solution of its kind to improve secrets detection coverage by providing teams with the context and transparency needed to prioritize developers' remediation efforts, reduce manual triage fatigue, and improve security controls that prevent secrets leaks.
“These new capabilities underscore ReversingLabs commitment to address growing software supply chain complexity and increasingly sophisticated threats. Our comprehensive solution enables teams to securely control the release of software via the detection of software supply chain threats, malware, malicious behaviors, tampering, and secrets exposures,” said Mario Vuksan, CEO and Co-founder of ReversingLabs.
“Supply chain risks demand evolved application security capabilities that confront the full spectrum of challenges introduced by open source- and third party components, commercial software, and binary misconfigurations. Our SSCS platform fills in the gaps left by existing solutions that only provide open-source licensing compliance and vulnerability detection, or that analyze source code quality for vulnerabilities,” Vuksan said.
The Risk of Secrets
Complex software today includes components that rely on digital authentication credentials commonly referred to as 'secrets.' These include elements such as login credentials, API tokens, and encryption keys. While critical for modern software to function, secrets are difficult to manage across Software Development Life Cycle (SDLC), or Continuous Integration and Continuous Delivery (CI/CD) stages. That challenge can result in secrets being inadvertently exposed.
Potential exposures can stem from the use of plain text passwords; weak cryptography; build scripts that include directories containing secrets configuration files; flawed CI/CD or packaging automation; not to mention compromised developer accounts and malicious insiders.
“Exposed secrets included in software release packages leave businesses vulnerable to a software supply chain breach. Look no further than the CircleCI and CodeCov incidents,” added Vuksan. “With these new secrets capabilities, we are giving software publishers something other available offerings don’t: better visibility into their supply chain risks with specific capabilities for secrets detection and management.”
Detect and Remediate Secrets Exposure
Current secrets detection tools fall short because they are unable to remove false positives, itemize all secrets in builds, or provide actionable results. As a result, many developers bypass discovered features rather than triage and fix them. These offerings also cannot determine which secrets have already been exposed. They frequently fail to properly underscore the level of risk or automatically suppress third party secrets and other false positive results that are not actionable.
ReversingLabs new capabilities give developers the visibility and confidence they need to prioritize detected secrets and issue actionable warnings to developers that help provide immediate resolution. ReversingLabs Software Supply Chain Security solution can identify more than 250 secret-types out of the box, including private keys, version control, certs, tokens, and more.
Once secrets are identified, ReversingLabs secrets discovery tool provides security teams with the ability to do "true positive" confirmation; precisely locate the leaked secrets and determine which services are affected; and identify whether the exposed or leaked secrets exist elsewhere. The solution prioritizes remediation efforts and suppresses third party, open-source testing keys and other commonly shared secrets, thus reducing false positives and the fatigue that results from manual triage.
ReversingLabs secrets capabilities include superior detection and contextual prioritization, “just in time” secrets management, "canary token" management, and custom detection policies. Additionally, ReversingLabs provides publicly available guidance for sensitive information policies. That includes documentation of public exposures and secrets breakdown by service for web service access credentials; web service access tokens; web service API keys; and webhook service access keys.
For more insights about today’s news read our new blog post New Secrets Management Capabilities for Mitigating Software Supply Chain Risk.
To learn more about the ReversingLabs Software Supply Chain Security platform and its secrets detection capabilities, visit Detect, Prioritize and Manage Exposed Secrets at ReversingLabs.
ReversingLabs protects the modern enterprise from sophisticated software supply chain security attacks, malware, ransomware, and other threats.
The ReversingLabs Software Supply Chain Security Platform analyzes any file, binary, or software package, including those that evade traditional security solutions. The hybrid-cloud, privacy centric platform democratizes insights across the enterprise, enabling development teams to securely release applications; third-party risk teams to safely procure software; and security operations teams to monitor, isolate and quickly respond to threats.
ReversingLabs data is used by more than 65 of the world's most advanced security vendors and their tens of thousands of security professionals. ReversingLabs enterprise customers span all industries, leveraging integrations with popular DevSecOps and SOC platforms that enable teams to access the analysis they need to make quick security verdicts, eliminate threats, and release software with confidence.