Spotlight: How Secrets Sprawl Undermines Software Supply Chain Security

In this Spotlight edition of the podcast, we’re joined by Mackenzie Jackson, the Developer Advocate at the firm GitGuardian. Mackenzie and I discuss the problem of so-called “secrets sprawl” – the migration of all manner of sensitive information, from credentials to private keys -into public source code repositories on sites like GitHub. As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and Spotify. Or, check us out on Google Podcasts, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.  [MP3] “Given enough eyeballs, all bugs are shallow.” That is “Linus’s Law.” First formulated by Eric Raymond in his 1999 book “The Cathedral and the Bazaar,” and named after Linus Torvalds, the creator of Linux. It speaks to a hidden value of open source code: with an unbounded population of developers given access to source code, security and quality issues will quickly bubble up and be discovered, improving security rather than undermining it.  Mackenzie Jackson is a Developer Advocate at GitGuardian All Secrets Are Shallow, Too! Two decades later, open source culture is now firmly entrenched, open source code and libraries are part and parcel of nearly every software development project, and massive, online repositories like GitHub put code at the fingertips of a population of millions of developers and billions of Internet users. In that new milieu, something like a corollary to Linus’s Law has emerged: given enough eyeballs, all secrets are shallow, too.  In other words: having thousands of developers crawling over your source code may expose hidden flaws in your application code. (Though there is ample reason to doubt that happens.) But it may also reveal secrets you weren’t aware were buried in your code, or that you hoped nobody would notice.  Credentials: Gone in 60 Seconds