TeamUSEC

Poster: Committed by Accident – Prevention and Remediation Strategies Against Secret Leakage

Alexander Krause, Jan H. Klemmer, Nicolas Huaman, Dominik Wermke, Yasemin Acar and Sascha Fahl.
In 43rd IEEE Symposium on Security and Privacy, IEEE S&P 2022, May 23-26, 2022
PDF Abstract Poster Cite URL

Poster

Abstract

Version control systems for source code, such as Git, are key tools in modern software development environments. Many open-source projects use online services such as GitHub or GitLab. Previous work and news articles illustrate that developers tend to commit code secrets such as private encryption keys, passwords, or API keys accidentally. However, making secrets available to the public Internet might have disastrous consequences, such as leaving systems vulnerable to attacks. In a mixed-methods study, we surveyed 109 developers, including 50 freelancers from Upwork and 59 developers from GitHub, with a focus on their strategies for secret leakage prevention and their secret leakage experiences. We also analyzed 100 online guidelines for secret leakage prevention and remediation. We find that 30.3% of our participants have encountered secret leakage in the past, and the online guidelines we analyzed do not sufficiently address secret leakage prevention and remediation. We conclude with recommendations for developers and an outlook on this research.

Reference

@misc{poster/oakland/krause22,
 author = {Alexander Krause and
Jan H. Klemmer and
Nicolas Huaman and
Dominik Wermke and
Yasemin Acar and
Sascha Fahl},
 howpublished = {In 43rd IEEE Symposium on Security and Privacy, IEEE S&P 2022, May 23-26, 2022},
 month = {May},
 title = {Poster: Committed by Accident – Prevention and Remediation Strategies Against Secret Leakage},
 url = {https://www.ieee-security.org/TC/SP2022/program-posters.html},
 year = {2022}
}