Secrets Sprawl On GitHub: What It Means For MSPs

By Thomas Segura, GitGuardian

Secrets are digital authentication credentials (API keys, certificates, tokens, etc.) that are used in applications, services or infrastructures. Developers working with code will often keep keys and passwords for various resources in an insecure location to make it easier to change the code but doing so often results in the information mistakenly being published.

In its latest state of secrets sprawl report, GitGuardian details how they found more than 6 million such secrets exposed on public GitHub in 2021 alone, doubling the number from the previous year. Many of these credentials are unfortunately valuable corporate secrets that represent a serious cyber threat.

This article focuses on one type of company that is especially at risk: Managed Service Providers. In recent years, resorting to MSPs has become very popular for companies wanting to accelerate the digitization of their businesses. With this surge in popularity MSPs are broadening their range of responsibilities and now face the question: how to ensure we can meet our cybersecurity responsibilities?

The State Of Secrets Sprawl On GitHub

Secrets are everywhere in the modern development life cycle: they are used in production but also on build servers and local developers’ machines. In recent years the number of building blocks making up an application (including build tools) has massively increased. It’s not uncommon today to find that a web server is requiring a managed database, SaaS applications, open-source components, backend microservices, and cloud infrastructure to be production-ready.

Taking into account the fact that GitHub, the most popular code-sharing platform, is expanding at a fast rate (+25% repositories created in 2021), it is not surprising to see that the number of secrets leaked by mistake is soaring: on average, 3 commits out of 1,000 exposed at least one secret in 2021, a 50% increase compared to 2020.

A common misconception about leaks is that they happen because developers are not careful enough. The report brings another light on this by showing how leaks are proportional to user adoption of a given service, meaning that secrets sprawl should be considered an organic phenomenon. Simply put, errors are human. Leaked secrets, in particular, are more persistent than other types of vulnerabilities because of certain characteristics making them harder to find and remediate.

What Does It Mean For MSPs?

Managed service providers often employ hundreds or even thousands of developers. More developers mean more services, more DevOps teams, more secrets, eventually, more hardcoded secrets.

Here is the point: even if your organization doesn't do open source, chances are your developers do. An organization does not need to have an official presence on GitHub to be vulnerable!

In theory, MSPs are familiar with security because they provide IT services and support to their customers and are therefore responsible for ensuring that IT security is implemented. But the reality is quite different: a recent survey by LogicMonitor, The next-gen managed service provider, revealed that 80% of customers had been affected by cyberattacks and that MSPs admitted they were “not very confident” in their ability to successfully address a cyber attack.

They can hardly be blamed though: the development life cycle in the software world has evolved into a very complex supply chain involving a lot of different third parties. Security needs to be enforced on a much larger attack surface than it used to be. In fact, software supply chains may be the top security priority right now for software companies (basically, every company).

Failing to assess the threats existing out on the open internet and manage their exposure could represent an existential risk to MSPs. From a reputational point of view, a leaked credential on GitHub giving access to customer data (including source code), services, or any kind of infrastructure could be one of the worst scenarios.

Even if it’s not for gaining initial access, looking for credentials in source code history is part of most hackers’ playbooks. Secrets could also be used to tamper with MSPs software and transform it into an attack vector to affect hundreds of customers at once, as in seen the 2021 Kaseya and SolarWinds supply chain attacks. These risks alone should be enough to alert to the need to take preventive measures now.

Staying Ahead Of The Curve

As the saying goes, prevention is better than cure. MSPs are starting to build cyber resiliency plans to address cyber security issues but to be effective the first step is to map their attack surface.

This includes setting up a dynamic perimeter including every developer and monitoring all their public activities, even on personal GitHub repositories. Remember that GitHub is quite unique in the sense that developers can (and many do in fact) use the same account for their personal and professional work.

But GitHub is hardly the only place to be concerned. In their report, GitGuardian also conducted an investigation on Docker images, showing that almost 5% of all images expose at least one secret, and the more layers your image has, the more likely there is to be a secret. It means that to comprehensively secure the software development life cycle, the problem needs to be tackled at multiple levels.

Building a layered defense all across the development life cycle with detection and remediation capabilities is beyond the scope of this article. But since MSPs will have to adapt to customers who are increasingly concerned about their IT cyber resilience, this topic will inevitably become strategic for the deployment of secure services in the future.

In addition, cybersecurity compliance frameworks such as NIST SSDF or Google’s SLSA are being consolidated and will be requiring security to be baked in from the start in IT products in the coming years. NIST, under Executive Order (EO) 14028, has launched an initiative to define minimum testing standards for software vendors or developers, in which they include performing static analysis to find hardcoded secrets.

Conclusion

MSPs will have a big role in securing IT operations in the coming years. This is why they should be aware that the more developers they manage, the bigger their footprint on GitHub. And that far from being innocuous, secrets exposed in code-sharing platforms are being actively searched and leveraged by attackers, as demonstrated by various breaches play-by-plays in the past. Leaked secrets can impact not only a single organization but can have a cascading effect across users and customers, which is why they should be considered a top priority by MSPs. The stakes are high, and it’s time to take action. Investing in security and protective monitoring, evangelization and training products is the best way to hedge against cyber threats. Failure to do so may result in damages being brought against them.

About The Author

Thomas Segura has worked both as an analyst and as a software engineer consultant for various big French companies. His passion for tech and open source led him to join GitGuardian as technical content writer. He focuses now on clarifying the transformative changes that cybersecurity and software are going through.