What are the Practices for Secret Management in Software Artifacts?

2022 IEEE Secure Development Conference (SecDev) Pub Date : 2022-08-24 DOI:10.1109/SecDev53368.2022.00026

S. Basak, L. Neil, Bradley Reaves, L. Williams

{"title":"What are the Practices for Secret Management in Software Artifacts?","authors":"S. Basak, L. Neil, Bradley Reaves, L. Williams","doi":"10.1109/SecDev53368.2022.00026","DOIUrl":null,"url":null,"abstract":"Throughout 2021, GitGuardian's monitoring of public GitHub repositories revealed a two-fold increase in the number of secrets (database credentials, API keys, and other credentials) exposed compared to 2020, accumulating more than six million secrets. A systematic derivation of practices for managing secrets can help practitioners in secure development. The goal of our paper is to aid practitioners in avoiding the exposure of secrets by identifying secret management practices in software artifacts through a systematic derivation of practices disseminated in Internet artifacts. We conduct a grey literature review of Internet artifacts, such as blog articles and question and answer posts. We identify 24 practices grouped in six categories comprised of developer and organizational practices. Our findings indicate that using local environment variables and external secret management services are the most recommended practices to move secrets out of source code and to securely store secrets. We also observe that using version control system scanning tools and employing short-lived secrets are the most recommended practices to avoid accidentally committing secrets and limit secret exposure, respectively.","PeriodicalId":407946,"journal":{"name":"2022 IEEE Secure Development Conference (SecDev)","volume":"9 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 IEEE Secure Development Conference (SecDev)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SecDev53368.2022.00026","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 4

Abstract

Throughout 2021, GitGuardian's monitoring of public GitHub repositories revealed a two-fold increase in the number of secrets (database credentials, API keys, and other credentials) exposed compared to 2020, accumulating more than six million secrets. A systematic derivation of practices for managing secrets can help practitioners in secure development. The goal of our paper is to aid practitioners in avoiding the exposure of secrets by identifying secret management practices in software artifacts through a systematic derivation of practices disseminated in Internet artifacts. We conduct a grey literature review of Internet artifacts, such as blog articles and question and answer posts. We identify 24 practices grouped in six categories comprised of developer and organizational practices. Our findings indicate that using local environment variables and external secret management services are the most recommended practices to move secrets out of source code and to securely store secrets. We also observe that using version control system scanning tools and employing short-lived secrets are the most recommended practices to avoid accidentally committing secrets and limit secret exposure, respectively.

查看原文本刊更多论文

软件工件中的秘密管理实践是什么?

在整个2021年，gi卫报对公共GitHub存储库的监控显示，与2020年相比，暴露的秘密(数据库凭据、API密钥和其他凭据)数量增加了两倍，累积了超过600万个秘密。管理秘密的实践的系统派生可以帮助从业者进行安全开发。我们论文的目标是通过在互联网工件中传播的实践的系统派生来识别软件工件中的秘密管理实践，从而帮助从业者避免秘密的暴露。我们对互联网工件进行灰色文献回顾，例如博客文章和问答帖子。我们确定了由开发人员和组织实践组成的6个类别中的24个实践。我们的研究结果表明，使用本地环境变量和外部秘密管理服务是最推荐的将秘密移出源代码并安全地存储秘密的做法。我们还观察到，使用版本控制系统扫描工具和使用短期秘密是最推荐的做法，以避免意外提交秘密和限制秘密暴露。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2022 IEEE Secure Development Conference (SecDev)

自引率

0.00%

发文量