Secrets, such as personally identifiable information (PII), passwords, and other sensitive organizational data, are included in code in an organization’s software supply chain.
Hackers may target company secrets and locate PII and other organizational secrets whether they are housed in a public or private code repository. The usage of secrets in code throughout the software supply chain is one of the most prevalent hazards and the cause of certain high-profile cloud-native application hacks.
Secrets discovered in both public and private collections
Apiiro’s “Secrets Insights Across the Software Supply Chain” analysis looked at over 25,000 repositories from small to big companies to find out what secrets exist in today’s code.
According to the analysis, half of all secrets in private repositories are exposed secrets, which are readily available as an attacker gains network access.
The research found that 38% of all secrets are stored in PII repositories. Furthermore, plain text passwords account for 42% of all disclosed information.
Once these vulnerabilities are detected, the mean time to remediation (MTTR) is 90 days, showing that secrets are languishing in source code repositories for months before being removed, possibly exposing sensitive data.