Exposed Secrets Crisis: Why It Takes 27 Days to Fix Leaked Credentials (And What’s Making It Worse)

Exposed Secrets Crisis: Why It Takes 27 Days to Fix Leaked Credentials (And What's Making It Worse)

The Growing Challenge of Secrets Management in IT

Key Findings:

– 79% of IT decision-makers reported secrets leaks, increasing from 75% last year

– Over 12.7 million hardcoded credentials found in public GitHub repositories

– 90% of discovered secrets remain valid for over 5 days

– Average remediation time: 27 days

– Non-human to human identity ratio is 45:1

Core Issues:

1. Delayed Credential Rotation

– Lack of clarity on permission structures

– Insufficient documentation

– Complex permission management systems (e.g., AWS IAM, GitHub)

2. Ownership Confusion

– 65% believe IT security teams are responsible

– 44% report developers not following best practices

– Gap between security teams and developers

3. Developer Challenges

– Pressure to deploy quickly

– Complex permission management systems

– Insufficient documentation practices

– Over-permissioning (98% of granted permissions unused)

4. Security Team Limitations

– Lack of project-specific knowledge

– Risk of breaking applications when making changes

– Difficulty maintaining consistent access controls

Proposed Solution: Shared Responsibility Model

Developers should:

– Manage permissions consistently using proper tools

– Document permission requirements

– Ensure clear communication with security teams

Security Teams should:

– Automate secrets rotation

– Implement observability tools

– Work to eliminate long-lived credentials

– Support developers with secure implementation paths

Essential Documentation Points:

1. Credential ownership

2. Resource access details

3. Permission specifications

4. Rotation/revocation procedures

5. Credential status

Share This Article