Tale of Secrets in Code Repository
The widespread practice of storing secrets such as passwords, cryptographic keys, and API keys in source code repositories presents significant security risks to organizations. Malicious actors can exploit such secrets to gain unauthorized access to systems and data. In this paper, I present short chronology of past incidents, techniques, and tools for identifying and securing secrets in source code.
We propose a two-phase approach that involves detection of secrets in source code repositories, followed by their secure management. My approach uses static code analysis techniques based on open-source tools to identify secrets and suggest best practices for securely storing and accessing secrets in applications. We evaluate our approach on a set of open-source projects and demonstrate its effectiveness in detecting secrets and preventing their exposure. The results show that the approach can significantly reduce the risk of secrets leakage in source code repositories.
Liem Nguyen is an Application Security Specialist at Sportsbet where he helps developers build applications. He has previously worked as a Consultant with Accenture, delivering projects for various organizations in the government sector. Despite working within the Cyber Security industry, Liem has a Science and Mathematics background. He started his journey as SOC analyst and slowly transitioned into Penetration Testing before deciding to specialize in Application Security. Liem’s key motivation for Application Security is to help push security left and introduce automation into software development life cycle.