A global survey of 1,000 IT leaders from organizations with more than 500 employees published today finds that 79% have experienced or are aware of secrets leaking within their organization. Nevertheless, three-quarters (75%) expressed moderate to high confidence in their organization’s ability to detect and prevent hardcoded secrets in source code.

Conducted by GitGuardian in collaboration with CyberArk, the survey finds on the plus side that 77% of respondents work for organizations that are currently investing in or planning to invest in secrets management tools by 2025, with 75% focusing on secrets detection and remediation tools.

Step 1 of 7

14%

Which of the following best describes how you currently monitor and manage systems across your hybrid cloud environment?(Required)

Multiple separate tools for different environments

Multiple separate tools for different monitoring and management functions

Single consolidated dashboard

Custom built monitoring and management solution

No full monitoring and management solution

Don’t know

How valuable would it be for your monitoring and management solution to incorporate predictive analytics to help you identify and address system issues that are critical and not waste time or effort working through all the data and “noise” that is not critical?(Required)

Extremely valuable

Moderately valuable

Somewhat valuable

Slightly valuable

Not valuable

How do you most typically address potential system issues BEFORE they impact your operations?(Required)

Automated workflows and playbooks to remediate potential issues as soon as they are detected

An orchestrated response process that leverages automation, AI, and human expertise to rapidly respond to potential issues

Advanced monitoring tools such as predictive analytics and anomaly detection to proactively identify and address potential issues

Respond to issues as they arise, using manual processes and troubleshooting techniques

A combination of automated remediation, orchestrated response, and/or proactive monitoring to address potential system issues

Don’t know

Other

What methods does your organization use to control and monitor cloud/IT spending?(Required)

Centralized procurement processes

Pre-approved budget thresholds

Automated cost monitoring tools

Department-level spending controls

Regular cost audits and reviews

Cloud cost optimization platform

Approval workflows for resource provisioning

Native financial operations tools provided by the cloud provider

No formal controls in place

Don’t know

Other

Please specify:

Which methods do you rely on most to detect security vulnerabilities in your systems?(Required)

Automated scanning tools

Manual assessments

Vendor notifications

Threat modeling (for early detection)

None of these

Don’t know

Other

Please specify:

What are the TWO most common ways you prioritize vulnerabilities to address within your environment?(Required)

Based on potential impact

Based on exploitability

Regulatory compliance requirements

Based on CVSS scores

Risk-based analysis of multiple factors

First-in-first-out approach

No formal prioritization process

Don’t know

How do you typically handle system updates and security patches?(Required)

Automated updates and patches

Manually review and apply updates and patches on a regular schedule

A combination of automation and manual review

Apply updates and patches on an as-needed basis.

Outsourced update and patch management

No defined process

Don’t know

Other

Δ

Overall, the survey finds that 74% of respondents have implemented at least a partially mature strategy to prevent secret leaks. However, 23% still rely on manual reviews or lack a defined strategy, the survey finds.

Thomas Segura, a technical engineer for GitGuardian, said the biggest issue organizations encounter when it comes to managing and securing secrets is they can be found everywhere. Cybercriminals, meanwhile, have become more adept at scanning for them so the number of incidents where application environments are being compromised using stolen credentials is increasing, he noted.

Chris Smith, director of product marketing for Cyber Ark, a provider of privileged access management (PAM) platform, added that there are also now many types of human and machine identities that once compromised can provide access to a wide range of applications and services as cybercriminals continue to steadily escalate the privileges they have stealthily gained. In some cases, cybercriminals are observing IT environments for months to determine how to inflict the most amount of damage possible.

The best way to combat those potential threats is to first ensure secrets are encrypted in a vault, and then have a set of processes in place to ensure those secrets are regularly rotated in case they might have been previously compromised, said Smith.

Overall, the survey finds respondents said they rotate 36% of their secrets on an annual basis. That pace of rotation, however, might not be frequent enough and, of course, means that 64% of respondents are not nearly as diligent.

In total, just under a third of respondents (32%) admitted that hardcoded secrets represent a risk to their software supply chain.
Additionally, 43% of respondents are concerned about the potential of increased leaks in codebases as cybercriminals begin to employ artificial intelligence (AI) to identify and reproduce patterns in the way secrets are being created, configured and stored.
In the meantime, when there is a breach the survey finds the average time to remediate a leaked secret is 27 days, so even after it is discovered there is still a significant opportunity for cybercriminals to wreak havoc.

Hopefully, as organizations invest more in DevSecOps tools and platforms the overall state of API security will improve. A Techstrong Research survey finds less than half (47%) of respondents work for organizations that regularly employ best DevSecOps practices. On the plus side, a full 59% of respondents said they are also making further investments in application security, with 19% describing their investment level as high.

The challenge, as always, is making sure those investments are applied in a way that ensures the maximum application security benefit for all concerned.