Lick secrets increase – and expand beyond the code base

Organizations that end up in the secret of the secret is exclusively about scanning public repositors and code bases for API key, passwords and tokens.

Cooperation and project management platforms such as Slack, Jira and Confluence have become a widespread and largely untrained usage in corporate environments with high risk zones for leaked login information. And a secrets recently exposed by Gitguardian recently exposed in these systems are often more critical and difficult to recognize than those found in the source code.

A lack of integrated scan functions in these platforms means that third -party products and consciousness training are the best option to alleviate the threat. You need to know the following.

[ Special Report: Why secrets are leaked | How hackers get access | How to mitigate risk ]

Leck's secrets have increased and expanded

Gitguardian's analysis of millions of repositories showed that the company's researchers in 2024 revealed a significant – if not unexpected – increasing increase in the newly distributed secrets within public github commits.

The increase in secrets that match a broader trend gitguardian has been pursued for years: steadily growth of the random exposure of sensitive references in the public code. More than a third (35%) of private repositors in the study contained at least one plain text secret.

For the second time in a row, the Gitguardian researchers also observed an increase in secrets that were uncovered in Tools for Cooperation and Project Management such as Slack, Jira and Confluence. And 38% of the secrets that the companies discovered in these tools discovered were critical or urgent, compared to only 31% in tools for source code management.

Gitguardian said in a blog post that summarized the results of his research:

“The reality is that secrets in every tool that your team touchesPresent Not only code and CI/CD platforms, but in their entire digital work area. Messaging apps, ticketing systems, internal wikis and even container registers are now active battlefields for the exposure of registration information. “

The big leaks exposed

Jira, the project management tool from Atlassian, had the highest risk ore, with 6.1% of all Jira tickets being analyzed by Gitguardian that contained at least one secret. Gitguardian led this high incidence of the usual practice among developers to share sensitive login information in tickets, probably for troubleshooting, for troubleshooting.

Slack was another important problem in which secrets that were often shared in real time about news. And although they are less common, the secrets also appeared in confluence documents that are often enough to justify concern.

James Mcquiggan, a lawyer for security awareness at Knowbe4, said that the risk of collaboration instruments is higher than in the code base, especially because of the relative sensitivity of the secrets.

“Secrets in Slack and Jira are often more critical because they come from operational workflows and are the most common tools for project management.”
– James Mcquiggan

For example, a Jira ticket can contain a production database password, and a slack message can contain an admin -API for critical integration. Exposed API keys, login information or tokens can enable bad actors direct access to internal systems. The bad actors can use this access to escalate privileges, enable lateral movements and perform other malicious actions.

As an example, some of the secrets that Gitguardian caught, access to corporate databases, the AWS infrastructure, Github Enterprises and Artefact storage systems. “These tools record login information that is urgently divided like tokens, keys and passwords that are usually embedded in tickets, chats or documentaries and are often bound to privileged systems or third -party providers,” said Mcquiggan.

Tools have a big blind spot

What makes things worse is that the most frequently used project management and cooperation platforms integrated mechanisms for recognizing and removing secrets. Non-one protection that many source code management systems offer.

In addition, the secrets that Gitguardian found in this collaboration were different and unique -how complete SSH keys in Slack messages -which it was harder to find with standard scan.

Ansar Seker, CISO at Socradar, said platforms such as Slack, Jira and Confluence have developed from simple productivity tools in core components of the modern life cycle of software development. What makes these platforms so risky is their informality and omnipresent, said Seker.

“[While] They accelerated the collaboration, also presented new blind spots for security teams, especially in the context of secret management. Teams often share API keys, login information, internal tokens and configuration details in real time during the error correction or the reaction in the incidents. “
–Esar Seker

In contrast to secrets in the source code, secrets in cooperation and productivity tools are shared live, roles and often not convicted. As a rule, they are environmentally specific, privileged, actively used and not outdated or outdated. Developers often share the secrets with several people, said Seker. And security instruments are often optimized for code repositors and not for communication platforms – and that remains a cover gap.

“Security teams now have to defend two parallel channels: structured, scanned code bases and unstructured, dynamic collaboration flows.”
–Esar Seker

Tools of third -party providers to detect real -time secrets

Unfortunately, many of the tools that developers for cooperation, such as chat, project tracking and documentation platforms, have non-integrated functions for recognition and warning on exposed API keys, passwords, tokens and other secrets.

Some platforms, such as Microsoft PurView for teams and SharePoint, offer functions for basic data loss prevention (DLP). However, these tools often do not offer the automated scan, real-time warning and automated enforcement functions for guidelines that are necessary to alleviate the threat of exposure through the secrudes from collaboration platforms, said Rome Carmel, co-founder and CEO of Apono.

“The unstructured nature of secrets in collaboration tools makes them difficult with conventional scan methods.”
– Rome Carmel

In order to close the gap, organizations should be considered to use home on home, DLP products and automated mechanisms for the enforcement of security policies for collaboration platforms, said Carmel.

With Atlassian's “Security in Jira” function, users can tap security tools to centralize wardiness management and possibly search for secrets within Jira. Carmel said that such integration was very helpful.

“Providers of the collaboration platform should [also] Integrate advanced security functions, work with third -party security tools, offer training resources and implement automatic measures to prevent leaks to support companies in securing sensitive login information. “
– Rome Carmel

Developer awareness and training are essential

The exposure of secrets in software environments is often based on lack of awareness and training among developers. Many are often under tight delivery periods and unknowingly hardcode passwords, API keys, tokens and other sensitive data in code, which you later oblige to public repositors. According to McQuiggan from Knowbe4, training and proper awareness of the risk of exposure for software development teams is of essential importance.

“People do not miss any secrets from malicious intentions. Organizations should raise their users to help them understand the risk of providing alternatives and demonstrating and strengthening safe behaviors.”
– James Mcquiggan

Development teams have to understand that Slack is not a vault and Jira no safe notes app, said Socradar's Seker. The best technology in the world will not help if developers, devops and support engineers do not understand the risks of the casual sharing of registration information. “This means continuous, context -related training that ideally uses real examples from red team simulations or earlier incidents,” he said.

The native support for scanning secrets is required

Jason Soroko, Senior Fellow at Sectigo, said that Collaboration Platform providers can play their role by integrating native functions for scanning and alarming on secrets. You should also offer settings with which companies can better secure for closer security and better API integrations. “In this way, improvement in platform security is important in order to counteract the expanding risk associated with the growing use of companies,” said Soroko.

Slack, Atlassian and other providers of collaboration and productivity platforms must recognize that they are now part of the company threat interface, said Seker. And this leads to responsibility to support security as a first -class function.

“We are far beyond the point where 'Devsecops' only covers the source code. Today it is about 'Collabsecops' -the securing of the entire spectrum of the developer and IT collaboration tool -because modern software and modern risk live.”
–Esar Seker

*** This is a safety blogger -Syndicated blog from blog (Main), which was written by Jai Vijayan. Read the original post at: