Welcome to our first ever The State of Secrets Detection in SaaS Apps, an in-depth look at what security risks are posed by the data stored in organizations' SaaS applications. As companies have adopted a remote-first approach to work, these solutions have increasingly been used to send and store passwords, secrets, and API keys. This has made access to these applications and their associated content a key target for hackers via supply chain attacks or exploiting security mistakes and misconfigurations.
“Passwords, Secrets, and Keys” for companies encompass cryptographic keys, credential sets, API keys, OAuth tokens, and other sensitive data used to access or authenticate with applications and services. This data finds it way into observability logs - see the Slope Wallet hack, Slack and Teams channels - see 2020’s Twitter breach, GitHub repos and many other places. This sensitive data can often be contained in files - which cannot be scanned by an in-line solution for large files, code comments and plain text on encrypted SaaS platforms such as Teams. Each year this data is sprawling into more sensitive places, not to mention that many SaaS platforms are storing data was created before many security solutions were instituted. The cost of this is only growing too with IBM’s 2022 Cost of a Data Breach Report finding:
What makes these figures so concerning for businesses is that stolen secrets often originate from human error, accidental exposure in code commits, bug tickets, chat messages, and API logging. Keeping out “bad actors” by itself is ineffective at addressing this risk, organizations need to identify and protect their underlying data so that it can’t be exploited if and when a threat actor enters their environments.
What apps are most used by companies?
Okta’s Businesses @ Work 22 report found that content collaboration applications were the most used business applications. These include productivity suites such as Microsoft 365 and Google Workspace, as well as apps such as Slack, Box, Dropbox, and Atlassian. This year’s report also highlighted the increased organizational role of developers as seen by the growth in monitoring and visibility products. These products are now just as critical as development itself with the monitoring system Sentry reporting an impressive 68% year-over-year growth.
What new apps are emerging?
Okta’s Businesses @ Work 22 report also found rapid growth in Notion, Airtable, and Fivetran adoption. These applications in particular are likely to be a source of high risk for organizations with Airtable storing vast troves of structured data, Notion being a collaboration tool of choice, and Fivetran piping data across the organization. Scanning these tools for secrets is key to controlling the risk these new integrations pose for organizational security.
What apps are most at risk?
Our data shows that GitHub followed by Jira have the most secrets at risk. This is expected as these applications are mostly used by product and engineering teams that have access to organizational secrets. A close third on the list is Slack, which highlights the large number of secrets that make their way into an app that can be widely accessed by teams that traditionally do not have credentials for these environments. It is this unexpected data spread that highlights the need for proactive content inspection and data protection.
How Nightfall approached the problem?
Nightfall already has best-in-class ML-based API and secrets detection capabilities. As evident when we benchmarked our solution against competitors:
But when looking to enhance the utility of our API detection, vendor-based detection was the next logical step for our team. With a vendor-specific model, Nightfall now identifies secrets from the top 25 most popular services such as AWS, Square, Stripe, with plans to add support for more services throughout the year. Additionally, the Nightfall platform will indicate whether the exposed vendor secret is active. The goal is ultimately to empower teams to make quick, but informed decisions within their remediation workflows by including as much context as possible.
In order to determine how big this issue still was, we applied this enhanced detection to public GitHub repos and we found the problem was still significant and growing:
These insights inspired the team to roll out our enhanced detection to all customers in January and below we share some insights we are seeing with live customer deployments.
What keys were mostly commonly compromised by Nightfall customers?
Nightfall can verify certain keys as active. When we deployed our Advanced Secrets and Keys Detector in January we found the most commonly exposed active keys come from AWS. Given that organizations leverage AWS for everything from compute to data storage, this can pose significant risk. A verified active key means they can be actively exploited to provide authorized access to production systems.
We also saw several other notable trends summarized below:
So how can customers better protect and manage their secrets?
Secrets sprawl is a problem that only gets worse over time. Even if it is not posing major issues at present, customers likely find that without a better secrets detection and management solution, the sprawl will eventually become an obstacle. Our data shows that this problem is growing rapidly and could eventually lead to problems scaling an organization's infrastructure and team.
Because of this, there is a compelling need for reliable, accurate, and actionable secrets detection for modern organizations. Moreover, after spending time on the road with customers, we saw first-hand how SecOps and security teams struggled with cumbersome workflows even when the secret was exposed, as they attempted to trace the vendor or service of the exposure. That is why we’ve been hard at work expanding Nightfall’s secret detection capabilities to improve customers’ remediation workflows.