RiskHarvester: A Risk-based Tool to Prioritize Secret Removal Efforts in Software Artifacts

TL;DR

RiskHarvester is a tool that prioritizes secret removal in software by assessing security risks based on asset value and attack ease, helping practitioners focus on the most critical secrets efficiently.

Contribution

The paper introduces RiskHarvester, a novel risk-based approach for prioritizing secret removal efforts in software artifacts, supported by a new benchmark and high-precision detection methods.

Findings

RiskHarvester achieves 95% precision and 90% recall in detecting database keywords.

86% of developers prioritize secret removal based on security risk scores.

The tool effectively guides security efforts by ranking secrets according to risk.

Abstract

Since 2020, GitGuardian has been detecting checked-in hard-coded secrets in GitHub repositories. During 2020-2023, GitGuardian has observed an upward annual trend and a four-fold increase in hard-coded secrets, with 12.8 million exposed in 2023. However, removing all the secrets from software artifacts is not feasible due to time constraints and technical challenges. Additionally, the security risks of the secrets are not equal, protecting assets ranging from obsolete databases to sensitive medical data. Thus, secret removal should be prioritized by security risk reduction, which existing secret detection tools do not support. The goal of this research is to aid software practitioners in prioritizing secrets removal efforts through our security risk-based tool. We present RiskHarvester, a risk-based tool to compute a security risk score based on the value of the asset and ease of attack on a database. We calculated the value of asset by identifying the sensitive data categories present in a database from the database keywords in the source code. We utilized data flow analysis, SQL, and ORM parsing to identify the database keywords. To calculate the ease of attack, we utilized passive network analysis to retrieve the database host information. To evaluate RiskHarvester, we curated RiskBench, a benchmark of 1,791 database secret-asset pairs with sensitive data categories and host information manually retrieved from 188 GitHub repositories. RiskHarvester demonstrates precision of (95%) and recall (90%) in detecting database keywords for the value of asset and precision of (96%) and recall (94%) in detecting valid hosts for ease of attack. Finally, we conducted a survey (52 respondents) to understand whether developers prioritize secret removal based on security risk score. We found that 86% of the developers prioritized the secrets for removal with descending security risk scores.