Throughout 2021, GitGuardian's monitoring of public GitHub repositories revealed a two-fold increase in the number of secrets (database credentials, API keys, and other credentials) exposed compared to 2020, accumulating more than six million secrets. A systematic derivation of practices for managing secrets can help practitioners in secure development. The goal of our paper is to aid practitioners in avoiding the exposure of secrets by identifying secret management practices in software artifacts through a systematic derivation of practices disseminated in Internet artifacts. We conduct a grey literature review of Internet artifacts, such as blog articles and question and answer posts. We identify 24 practices grouped in six categories comprised of developer and organizational practices. Our findings indicate that using local environment variables and external secret management services are the most recommended practices to move secrets out of source code and to securely store secrets. We also observe that using version control system scanning tools and employing short-lived secrets are the most recommended practices to avoid accidentally committing secrets and limit secret exposure, respectively.
翻译:在整个2021年,GitGuardian对GitHub公开存放库的监测显示,与2020年相比,披露的秘密(数据库证书、API钥匙和其他证书)数量增加了两倍,积累了600多万个秘密。对管理秘密的做法进行系统化的总结有助于从业者的安全发展。我们的文件的目的是通过系统化地收集互联网文物传播的做法,帮助从业者识别软件文物的秘密管理做法,从而帮助从业者避免暴露秘密。我们对互联网艺术品,例如博客文章、问答文章等进行灰色文献审查。我们确定了由开发者和组织做法组成的六类24种做法。我们的调查结果表明,使用当地环境变量和外部秘密管理服务是将秘密从源代码转移到安全存储秘密的最推荐做法。我们还观察到,使用版本控制系统扫描工具和使用短寿命秘密是最推荐的做法,分别是避免意外发生秘密并限制秘密暴露。