Organizations are unaware of the prevalence of API keys and secrets throughout their systems, and how their users are sharing and using them. Even with security best practices and policies in place, the lack of awareness or compliance, as well as the possibility of human error means that API keys and secrets need protection regardless of where they are stored or shared. Code repositories are often top of mind, but they should not be the only systems monitored or protected for disclosing these sensitive credentials. The disclosure risk often materializes via other means, as it did with Twitter via Slack, Uber via network share and Slack, or for Sega on one of their AWS S3 buckets, allowing bad actors to:
- Escalate privileges
- Impersonate trusted team members
- Access and traverse other systems and data stores
- Further compromise or disclose of sensitive information
- Damage or disrupt operations, impacting reputation and customer trust
Organizations should re-evaluate this risk, especially since attackers are opportunistic in taking the path of least resistance by seeking systems that are less hardened than code repositories. API keys and secrets are leveraged within minutes of being disclosed, with some customers letting us know that they have seen attempted use of compromised keys and secrets within 45 seconds. Additionally, with 61% of breaches being linked to leaked credentials and research finding millions of secrets exposed, this major risk cannot be overstated.
Consider how engineers may share secrets, often using Slack, Jira, or Confluence, which are widely accessible. While they may know this is not best practice, the ease and convenience may temporarily outweigh their judgment. Rather than relying employees and contractors to always follow best practices, a comprehensive and mature security program should monitor and protect secrets, especially in high-use communications and collaboration tools.
These risk management strategies are the most critical:
- Monitor for API keys and secrets throughout the environment and in alignment with risk and user behavior
- Automate response so that the exposure window is minimized
- Train users, with real-time and contextual feedback
While it is always best practice to rotate keys that are compromised, security teams and organizations would be best served with a proactive posture in monitoring information as sensitive as API keys and secrets. Reacting to a breach of API keys and secrets is quite resource-intensive and impactful, not only to the security team, but to the operational and engineering teams who will often need to lock down, redirect their resources, and refactor or rebuild their systems.