Secrets in code management

Paul Sawyers for VentureBeat:

Recent data from GitGuardian, a cybersecurity platform that helps companies find sensitive data hidden in public codebases, revealed a 20% rise in secrets inadvertently making their way into GitHub repositories. If this data falls into the wrong hands, it can be used to gain access to private internal systems. By way of example, Uber revealed a major breach back in 2017 that exposed millions of users’ personal data. The root cause was an AWS access key hackers discovered in a personal GitHub repository belonging to an Uber developer.

There has been a flurry of activity across the secrets management space of late. Israeli startup Spectral recently exited stealth with $6.2 million in funding to serve developer operations (DevOps) teams with an automated scanner that finds potentially costly security mistakes buried in code. San Francisco-based Doppler, meanwhile, last month raised $6.5 million in a round of funding led by Alphabet’s venture capital arm GV and launched a bunch of new enterprise-focused features.

One reason I am linking to this “enterprise” aspect is the eventual shift of 1Password from consumer space to managing passwords at scale. As the prelude suggests, it is a serious issue. Healthcare data is critical (especially when it is held at scale) and it is essential to safeguard it from hackers. Of course, data aggregation and “on-premise” deployed applications will always require source audits and that pushes up the costs even more. No system is “fool-proof” but requires several layers of risk mitigation.