Sniffing for Codebase Secret Leaks with Known Production Secrets in Industry

08/13/2020
by   Zhen Yu Ding, et al.
0

Leaked secrets, such as passwords and API keys, in codebases were responsible for numerous security breaches. Existing heuristic techniques, such as pattern matching, entropy analysis, and machine learning, exist to detect and alert developers of such leaks. Heuristics, however, naturally exhibit false positives, which require triaging and can lead to developer frustration. We propose to use known production secrets as a source of ground truth for sniffing secret leaks in codebases. We develop techniques for using known secrets to sniff whole codebases and continuously sniff differential code revisions. We uncover different performance and security needs when sniffing for known secrets in these two situations in an industrial environment.

READ FULL TEXT

page 1

page 2

research
07/03/2023

A Comparative Study of Software Secrets Reporting by Secret Detection Tools

Background: According to GitGuardian's monitoring of public GitHub repos...
research
11/11/2022

Committed by Accident: Studying Prevention and Remediation Strategies Against Secret Leakage in Source Code Repositories

Version control systems for source code, such as Git, are key tools in m...
research
10/22/2020

Getting Passive Aggressive About False Positives: Patching Deployed Malware Detectors

False positives (FPs) have been an issue of extreme importance for anti-...
research
03/12/2023

SecretBench: A Dataset of Software Secrets

According to GitGuardian's monitoring of public GitHub repositories, the...
research
09/07/2017

Resolving API Mentions in Informal Documents

Developer forums contain opinions and information related to the usage o...
research
06/23/2020

The uncertainty of Side-Channel Analysis: A way to leverage from heuristics

Performing a comprehensive side-channel analysis evaluation of small emb...

Please sign up or login with your details

Forgot password? Click here to reset