Committed by Accident: Studying Prevention and Remediation Strategies Against Secret Leakage in Source Code Repositories

TL;DR

This study investigates how developers experience, prevent, and remediate secret leaks in source code repositories, highlighting challenges and providing recommendations to improve security practices.

Contribution

It offers empirical insights from surveys and interviews on secret leakage challenges and proposes practical recommendations for developers and platform providers.

Findings

30.3% of developers experienced secret leakage

Developers face challenges in risk estimation and prevention

Low adoption of existing secret management tools

Abstract

Version control systems for source code, such as Git, are key tools in modern software development environments. Many developers use online services, such as GitHub or GitLab, for collaborative software development. While software projects often require code secrets to work, such as API keys or passwords, they need to be handled securely within the project. Previous research and news articles have illustrated that developers are blameworthy of committing code secrets, such as private encryption keys, passwords, or API keys, accidentally to public source code repositories. However, making secrets publicly available might have disastrous consequences, such as leaving systems vulnerable to attacks. In a mixed-methods study, we surveyed 109 developers and conducted 14 in-depth semi-structured interviews with developers which experienced secret leakage in the past. We find that 30.3% of our participants have encountered secret leakage in the past, and that developers are facing several challenges with secret leakage prevention and remediation. Based on our findings, we discuss challenges, e. g., estimating risks of leaked secrets, and needs of developers in remediating and preventing code secret leaks, e. g., low adoption requirements. We also give recommendations for developers and source code platform providers to reduce the risk of secret leakage.