Uncovering Secrets in Code—A Case Study

Secrets such as API keys, tokens or passwords are frequently left in code. These secrets are fundamental to productivity in our collaborative and complex software development cycle. But if they aren’t handled properly, they can put an entire infrastructure at risk. 

In a recent academic research project, researchers found that thousands of secrets are actually leaked every day. Hackers have realized these secrets are a treasure trove for their efforts, as they can frequently unlock systems up and downstream from the code itself. 

BluBracket recently undertook a detailed analysis of code repositories of a Fortune 100 company to identify secrets, as well as to understand the strengths and limitations of open source secret handling tools. We found that the number of secrets found were significant, but most importantly, the right secrets were found. 

The open source scanning tools, especially TruffleHog, found hundreds of thousands of secrets in the same repositories. The only problem? The vast majority were false positives. In security, false positives mean security or engineering teams either can’t find or end up ignoring actual security vulnerabilities because of all the noise, or they spend far too much time and energy sorting through the noise to get to the actual risks.  Unlike the open source tools, BluBracket suppressed thousands of these false positive secrets and delivered them in an easily understandable, actionable form. 

BluBracket analyzed 132 public repositories from a Fortune 100 company in GitHub and found:

  • 17 Keys/Tokens w/ High Confidence Rating (out of a total of 1229 total secrets found)
  • 1229 Secret/token Types Identified
    • 1015 Password Assignments
    • 105 AWS Access Key IDs
    • 72 Credential Assignments
    • 20 Google API Keys
    • 16 Private Keys
  • 7 Repositories Contained Secrets
  • 52 Developers

In contrast, the open source tool TruffleHog found over 127,000 false positive GitHub secrets in the exact same repositories, without any distinction of high or low confidence, making the result essentially useless for the security or development teams responsible for securing the systems. Other tools like GitLeaks suffer from the same issues. Many of the false GitHub secrets identified by TruffleHog were actually dependency declarations and not vulnerabilities at all. 

Why are the differences so stark between BluBracket and open source scanning tools? One reason is our advanced methodology for secret detection. 

The BluBracket methodology for secret detection:

  • Monitors 50+ most common secret types automatically
    • Ability to also define custom regular expressions
    • Ability to look for password/credentials
  • Comprehensive scan of all new commits and historical commits, 
  • Scans commits in 2 phases:
    • Phase I – Regular Expressions
    • Phase II – Deeper Scan to exclude additional false positives
      • Dictionary of Keywords (eliminate example secrets)
      • Tag/Enrich Secrets
      • Elevate secrets committed by developers within the organization/s
  • Creates unique hashes for secrets and eliminates duplicates
  • Implementing a robust rules engine furthering admins ability to eliminate false positives
  • Identify secrets that have leaked into open source
  • Scan developer contributions to other public repositories  
  • Deep link to the exact file/line of code

There are six key advantages of a solution like BluBracket vs an open source secret scanning tool: 

  1. UI. The BluBracket CodeInsights tool makes use of a graphical UI to present the secrets in an easily viewable and reportable form. This makes it much easier to bridge the gap between developers and security teams. BluBracket also has APIs for customers who prefer to leverage their existing solutions like Splunk. 
  2. Continuous Monitoring. BluBracket does continuous monitoring of repositories, while most tools just do a one-time scan of the current code. BluBracket does an initial scan and then continues to monitor repositories and find new secrets. Some customers use the open tools to repeat the one time scan and try to determine a difference between the last time they scanned – but unless they are running their scan continuously there may be a gap in time where their secrets are exposed.
  3. Engineering Resources & Cost. Open source tools require engineering resources to maintain and make use of the logs. Paying an engineer to maintain and utilize these tools can easily amount to six figures, when all expenses are taken into account. 
  4. Coverage. Open source code scanning tools do not include key secret categories like passwords. 
  5. Self Learning. A vendor like BluBracket is focused 100% on improving and maintaining its solution, ensuring new secret types are constantly being added. BluBracket has a rules engine that allows it to constantly learn false positives and refine its monitoring ability to zero in on true threats.
  6. Comprehensive Code Security. Code scanning is just one part of the value of the BluBracket CodeSecurity Suite. Instead of implementing multiple point tools that need to be integrated and maintained, BluBracket delivers a comprehensive solution for code security, including full discovery, classification and alerting on multiple vulnerability types including misconfigurations, open source and permissive access. 

The focus of a vendor like BluBracket is 100% code security. It’s entire team is dedicated to constantly improving the functionality and coverage of the product to ensure companies are secure and in compliance with their code assets. 

If you’d like to evaluate the Code Security Suite and find your secrets in code or other vulnerabilities, please contact us

If you’d like to learn more about the top security risks from code, please download our white paper. 

Share this post!