ReversingLabs has added new secret-detection capabilities to its software supply chain security (SSCS) tool to help developers prioritize remediation with context-based data on application development secrets.In a development environment, secrets refer to digital authentication credentials used in software components including login credentials, API tokens, and encryption keys.\u201cWe are using our knowledge of exposed secrets in the billions of files we\u2019ve previously analyzed to provide that context,\u201d said Tomislav Pericin, co-founder and chief\u00a0software architect at ReversingLabs. \u201cFor example, commonly shared secrets used for testing open-source components that have been public for years are not secrets \u2014 so why tell developers to fix them.\u201d \u00a0Although essential for the proper functioning of software, effectively handling secrets throughout all parts of tcode \u2014 as well as during various stages of development such as the Software Development Life Cycle\u00a0and Continuous Integration and Continuous Delivery (CI\/CD) \u2014 can be difficult and may lead to the inadvertent exposure of secrets.In early 2021 CircleCI and CodeCov \u2014 two significant, cloud-based continuous integration and delivery platforms \u2014 experienced breaches that compromised user data, including environment variables and API tokens. The incidents highlighted the importance of exposed secrets and led to several organizations resetting their API tokens and taking other security measures to protect their applications and data.Problem of false positives in secrets detection Existing secret-detection tools\u00a0are flooding developers with enormous amounts of false positives, causing them to bypass detections rather than triage and fix them, the company said.The primary principle used with ReversingLabs\u2019 secret-detection system is that effective secrets analysis is only achievable when additional context can be automatically applied to determine if a detected secret is worth the remediation effort.ReversingLabs SSCS tool claims to cover 250 secret types, including private keys, version control, certs, and tokens. After detection, the tool enables teams to promptly verify the discovered secrets as true positives, pinpoint their exact location, identify the affected services, and check if these secrets are also exposed or leaked elsewhere.Prioritization helps reduce remediation fatigueReversingLabs' software focuses on prioritizing remediation efforts by suppressing commonly shared secrets such as third party, open source, and testing keys, thus reducing the burden of manual triage.\u201cThe status quo with secrets is to detect a lot of items and hope someone has time to triage and remediate. That\u2019s not sustainable when large software releases can contain thousands of secrets,\u201d Pericin added. \u201cOur solution is different because the focus of most of our new capabilities is on removing the noise from secrets detection with automated triage.\u201dIn addition to contextual prioritization, ReversingLabs\u2019 software enforces just-in-time secrets management, canary token management, and custom detection policies. While just in time and canary token management effects a timely resolution to the detections, custom detection policies help achieve fine-grained control on the detection rules.The software also provides the historical context of a detected secret, outlining whether the secret has already been exposed, and if or when to underscore the level of risk associated with other non-actionable false positives.The secret-detection feature is already available on ReversingLabs\u2019 SSCS tool through the command-line interface for no additional costs.