![Exposed Secrets Crisis: Why It Takes 27 Days to Fix Leaked Credentials (And What's Making It Worse)](https://mlkmisyfyt7n.i.optimole.com/cb:QnOd.1c245/w:auto/h:auto/q:mauto/ig:avif/https://clickcontrol.com/wp-content/uploads/2024/12/article_45_1733373924.jpg)
Key Findings:
– 79% of IT decision-makers reported secrets leaks, increasing from 75% last year
– Over 12.7 million hardcoded credentials found in public GitHub repositories
– 90% of discovered secrets remain valid for over 5 days
– Average remediation time: 27 days
– Non-human to human identity ratio is 45:1
Core Issues:
1. Delayed Credential Rotation
– Lack of clarity on permission structures
– Insufficient documentation
– Complex permission management systems (e.g., AWS IAM, GitHub)
2. Ownership Confusion
– 65% believe IT security teams are responsible
– 44% report developers not following best practices
– Gap between security teams and developers
3. Developer Challenges
– Pressure to deploy quickly
– Complex permission management systems
– Insufficient documentation practices
– Over-permissioning (98% of granted permissions unused)
4. Security Team Limitations
– Lack of project-specific knowledge
– Risk of breaking applications when making changes
– Difficulty maintaining consistent access controls
Proposed Solution: Shared Responsibility Model
Developers should:
– Manage permissions consistently using proper tools
– Document permission requirements
– Ensure clear communication with security teams
Security Teams should:
– Automate secrets rotation
– Implement observability tools
– Work to eliminate long-lived credentials
– Support developers with secure implementation paths
Essential Documentation Points:
1. Credential ownership
2. Resource access details
3. Permission specifications
4. Rotation/revocation procedures
5. Credential status