Pushed by Accident: A Mixed-Methods Study on Strategies of Handling Secrets in Source Code Repositories

Krause, Alexander and Klemmer, Jan H. and Huaman, Nicolas and Wermke, Dominik and Acar, Yasemin and Fahl, Sascha
(2023) Pushed by Accident: A Mixed-Methods Study on Strategies of Handling Secrets in Source Code Repositories.
In: 32nd USENIX Security Symposium, 9-11 Aug 2023, Anaheim, CA, USA.
Conference: USENIX-Security Usenix Security Symposium

[img] Text
2022_ucs_resubmit_usenix23.pdf

Download (325kB)
Official URL: https://www.usenix.org/conference/usenixsecurity23...

Abstract

Version control systems for source code, such as Git, are key tools in modern software development. Many developers use services like GitHub or GitLab for collaborative software development. Many software projects include code secrets such as API keys or passwords that need to be managed securely. Previous research and blog posts found that developers struggle with secure code secret management and accidentally leaked code secrets to public Git repositories. Leaking code secrets to the public can have disastrous consequences, such as abusing services and systems or making sensitive user data available to attackers. In a mixed-methods study, we surveyed 109 developers with version control system experience. Additionally, we conducted 14 in-depth semi-structured interviews with developers who experienced secret leakage in the past. 30.3% of our participants encountered code secret leaks in the past. Most of them face several challenges with secret leakage prevention and remediation. Based on our findings, we discuss challenges, such as estimating the risks of leaked secrets, and the needs of developers in remediating and preventing code secret leaks, such as low adoption requirements. We conclude with recommendations for developers and source code platform providers to reduce the risk of secret leakage.

Actions

Actions (login required)

View Item View Item