The Key To Managing Secrets in Code

Software development has fundamentally changed – and security experts need to change with it. Engineers no longer write code in isolation on desktops or laptops, where an attacker compromising a device could only access locally-stored files.

Cloud-based development has transformed the security model so developers often have expanded access to the entire application. With the rise of DevOps, the same developers (and developer identities) have the ability to make changes to production environments. A single compromised identity can now have a catastrophic impact on the security of the entire application and infrastructure.

Secrets detection now needs to be a foundational part of any Application Security program.

Finding secrets in code sounds simple. Just look for field names like “password”, “token”, or “API_Key”. Maybe dig a little deeper to search for commonly-used passwords or look for randomlygenerated strings of specific lengths.

Unfortunately, there is a lot of nuance and complexity to both understanding the impact of secrets in code, detecting them in the first place, and not being overwhelmed with endless false-positives but the key to managing secrets in code is context.