Modern software and development relies on secrets (access keys, API tokens and confidential information) to function properly. With hundreds of independently developed components (open source, third-party and proprietary) making up an application, it’s no surprise that secrets detection is overwhelming application development and security teams with false positives and other results that are not actionable.
As software supply chain breaches using compromised credentials increase, so too does the need to improve how risks are assessed for efficient and effective remediation. The challenge is that actionable controls require both detection and intelligence to provide additional context for risk-based prioritization to effectively reduce secrets leakage and manage supply chain risk.
With our new capabilities, ReversingLabs is giving developers and application security teams something that other offerings don’t: broader visibility into software supply chain risks and data-driven prioritization to automatically suppress third-party secrets and other false positive results.
-1400x732.jpg&w=3840&q=75)
Scanners that detect hundreds or thousands of secrets in software create an enormous amount of triage work to weed out third-party secrets and other false positives that are not actionable by their developers and DevOps teams.
The only way to save countless hours of triage and/or unnecessary remediation is to use additional context gained from previously exposed secrets to determine if a detected secret requires remediation and adjust its prioritization.
There are several ways secrets in software can remain undetected by code scanning at the Commit or Pull Request. Software binaries containing secrets can be added without declaration on build manifests. Sensitive information unique to your organization (e.g., proprietary code, debug files, intellectual property) can be hidden in files, archives and other artifacts during release packaging.
Whether it is a 1MB software library or a 10GB software container, analyzing binaries with customized detection rules provides a more comprehensive view of secrets leaked by:
• Build or packaging mistakes
• Shortcuts taken
• Compromised accounts or malicious insiders
Integrating customizable blocking policies into code testing, build pipelines and packaging workflows gives you controls to:
• Block high-risk, hard-coded secrets, internal passwords, and private keys before they reach production or customer environments
• Leak canary secrets useful to security teams for intrusion detection
Actionable controls for managing software supply chain risks by keeping secrets in software secret
Integrate automated discovery of 250+ secret types (API keys, encryption keys, tokens, passwords etc.) to prevent future supply chain attacks
Find secrets anywhere in builds, releases, containers – your code, open source, 3rd party, commercial and other files (installers, scripts, documentation, images, file archives etc.)
Identify and suppress commonly found false positives with our unique file intelligence, so you focus on remediating actual risks
Know when secrets were exposed in public domain, and determine if immediate rotation is required to lower risks
Suppress alerts about secrets intentionally leaked to aid CI/CD intrusion detection and fail builds if canary tokens are absent
Define secrets specific to your organization to avoid leaking intellectual property (e.g. proprietary source code, debug files, unique data strings, etc.)
