What are the Practices for Secret Management in Software Artifacts?

TL;DR

This paper systematically identifies and categorizes 24 secret management practices from Internet sources, highlighting key strategies like environment variables and secret management services to prevent secret exposure in software development.

Contribution

It provides a comprehensive, systematically derived set of secret management practices from Internet artifacts, aiding practitioners in secure secret handling.

Findings

Using local environment variables is highly recommended.

External secret management services are effective.

Employing short-lived secrets reduces exposure risk.

Abstract

Throughout 2021, GitGuardian's monitoring of public GitHub repositories revealed a two-fold increase in the number of secrets (database credentials, API keys, and other credentials) exposed compared to 2020, accumulating more than six million secrets. A systematic derivation of practices for managing secrets can help practitioners in secure development. The goal of our paper is to aid practitioners in avoiding the exposure of secrets by identifying secret management practices in software artifacts through a systematic derivation of practices disseminated in Internet artifacts. We conduct a grey literature review of Internet artifacts, such as blog articles and question and answer posts. We identify 24 practices grouped in six categories comprised of developer and organizational practices. Our findings indicate that using local environment variables and external secret management services are the most recommended practices to move secrets out of source code and to securely store secrets. We also observe that using version control system scanning tools and employing short-lived secrets are the most recommended practices to avoid accidentally committing secrets and limit secret exposure, respectively.