About 52% of chief information and security officers (CISOs) in the US and UK organizations are unable to fully secure their company secrets, according to a report by code security platform GitGuardian. The report pointed out that even though secrets management practice across the US and the UK has seen some maturity, it still needs to go a long way.About three-quarters of the respondents to the survey reported at least one past leak.The study, commissioned through Sapio Research, analyzed responses from 507 IT decision makers including IT directors, vice presidents of IT, CIOs, CSOs, CISOs, and vice presidents of cybersecurity, to assess awareness of the risks posed by exposed secrets in DevOps environments.\u201cEvery year, GitGuardian publishes its annual report the State of Secrets Sprawl where we report on the growth of the number of secrets found on public GitHub,\u201d said Thomas Segura, cyber security expert at GitGuardian. \u201cWith this new study, the goal was to better understand awareness of the problem in the field and the obstacles encountered by security leadership.\u201dThe study, titled \u201cVoice of Practitioners\u201d, follows GitGuardian\u2019s \u201cState of Secrets Sprawl 2023\u201d report published earlier this year, which revealed 10 million source code secrets detected by the company on public Github in 2022, a 67% jump since last year.Industry is wary of leaked secretsThe study showed that a huge chunk of the US and UK-based IT sector realizes the danger of exposed secrets. Seventy-five percent of the respondents said that a secret leak has happened in their organization in the past, with 60% acknowledging it caused serious issues for the company, employees, or both.The exposed secrets included API keys, usernames, passwords, and encryption keys, etc. Only 10% of respondents with a past leak said that the leak did not affect the company or its employees.When asked about the key risk points within their software supply chains, 58% found \u201csource code and repositories\u201d as the core risk area, with other 53% and 47% respectively indicating \u201copen source dependencies\u201d and \u201chard-coded secrets\u201d as troubling points.\u201cIt makes sense that the repositories would be a rich target for security vulnerabilities including secrets,\u201d said Melinda Marks, an analyst at ESG. \u201cIt\u2019s important to remember that cloud-native application security is not just about securing code within an application; you have to secure everything used to run and build the app. The CI\/CD pipelines and their associated repos, which enable teams to rapidly build their applications and collaborate, really drive the efficiency of cloud-native development.\u201dThe figures basically meant that \u201cthe majority of respondents consider secrets protection to be a critical component of application risk management,\u201d according to the GitGuardian study.Management isn\u2019t quite there yetAlthough the secrets management practice across the sector has seen some maturity, it still has to go a long way. A simple question about the extent to which secuirty professionals are presently able to prevent secrets from being leaked elicited a mixed bag of responses. While half (48%) of the respondents said they can prevent such leaks \u201cto a great extent,\u201d the remaining answered \u201cto some extent\u201d or to \u201cvery little\u201d extent.Also, when asked about their hard-coded secrets strategy, 27% of the respondents revealed that they rely on manual reviews to detect hard-coded secrets, indicating an outdated, ineffective way of secrets management. Additionally, 17% believed they didn\u2019t need secrets detection as they use a secret manager or a vault, and 3% confessed to not having a strategy at all.A significant share (53%) of senior security respondents also admitted that secrets were being shared in plain text messages within development teams.\u201cI think the biggest issue is just that developers may be careless about exposing secrets when they are writing code, but they forget to remove important data, credentials, or secrets when they commit code. Developer training and awareness is important, as well as giving them tools to easily find and correct security issues,\u201d Marks said.The study noted that secrets detection and remediation, as well as secrets management, are less prioritized (in terms of investment) compared to other tools, notably runtime protection tools. While 38% of respondents revealed plans to invest in runtime application protection tools, only 26% and 25% respectively said they will put money into secrets detection and remediation and secret management.GitGuardian findings did, however, reveal a brighter side in the sense that 94% of the respondents said they were, in one way or another, considering improving their secrets practices in the coming 12-18 months.Automated code reviews and secret scanners can helpCode reviews can be enhanced by automated code verification, such as running SAST (static analysis), SCA (software composition analysis), and secrets scanner, according to Segura.\u201cThe latter is a must because a secret may have been deleted and be hidden from the reviewer while still representing a vulnerability present in the code history,\u201d Segura said.GitGuardian said depending on secret scanners may not be enough to safeguard your organization.\u201cSecret scanners can help, yes. But the bigger issue with secrets is the faster speed and volume of their releases. Secrets are an element that can scale rapidly with cloud-native development. So, it\u2019s not just whether there is scanning, it\u2019s the efficacy of the scans to reduce false positives, and then having the context to drive efficient remediation to reduce security risk,\u201d Marks said.The study recommends the prevention of secrets leaks with pre-commit measures since remediation can be tricky as gathering context for leaked secrets for prioritization is crucial and can come with friction.