Secrets Management: The Weak Link of API Security
May 22, 2023

Anusha Iyer
Corsha

As organizations increasingly rely on APIs to streamline their operations and drive innovation, the need to securely authenticate across these critical communication channels is more important and complex than ever. The Corsha State of API Secrets Report 2023 highlights the need for better tools, technologies, and tradecraft around API secrets to help DevSecOps professionals who feel overwhelmed by the amount of time they must dedicate to API security and worried that their organizations remain vulnerable to breaches.


The Prime Culprit: Leaked API Secrets

API secrets leaks have been the driving force behind several recent high-profile security breaches, including Twitter, Dropbox, and Uber incidents. These breaches emphasize the importance of securing API secrets and the potential consequences organizations face if they do not.

One red flag uncovered by the report is the high prevalence of data breaches due to compromised API tokens. Over half (53%) of respondents have experienced a data breach with unauthorized access to their networks or apps due to compromised API tokens. This statistic underscores the need for improved API secrets management practices.

The report also found that although 72% of respondents use a secrets manager to handle their API secrets, more than half (56%) worry about potential data breaches. This suggests that simply using a secrets manager feels inadequate to ensure robust security.

The survey also reveals how much manual time professionals spend daily on secrets management. 86% of respondents spend up to 15 hours a week provisioning, managing, and dealing with secrets. This considerable time investment emphasizes the complexity and burden of API secrets management and underscores the need for more efficient and ideally automated practices around operations like secrets provisioning and rotation. After all, the tradeoff between security versus time and convenience is often solved by automation.

Inadequate Defenses

Clearly, API secrets leaks are a significant concern for DevSecOps teams and security personnel, despite the adoption of secrets managers. The report highlights that the current defenses in place for API secrets management fall short in multiple areas:

Inadequate secrets management policies: Many organizations lack comprehensive policies for handling API secrets, contributing to the persistence of security vulnerabilities.

Securing multi-cloud environments: With 44% of respondents hosting their API services across multiple clouds, managing secrets becomes even more complex as organizations must contend with varying security policies and mechanisms for each cloud provider.

Managing too many credentials: 78% of respondents reported managing at least 250 API tokens, keys, or certificates across their networks. With such a high volume of credentials to manage, scaling security strategies for API-based communication becomes increasingly difficult.

Thwarting insider threat: Granting all-or-nothing access to systems and service accounts is a common practice among more than 42% of respondents, which exacerbates the risks associated with insider threat. This approach fails to implement the principle of least privilege, which is crucial for minimizing the potential damage caused by compromised credentials or malicious insiders.

Poor visibility: More than 50% of respondents have little to no visibility into the machines, devices, or services (API clients) that utilize the API tokens, keys, and certificates that their organization provisions. This lack of visibility hampers organizations' abilities to detect and respond to potential security incidents.

Implementing Effective Secrets Management

The inadequacy of current defenses highlights the urgent need for organizations to adopt more robust and comprehensive approaches to API secrets management by embracing these five core tenets of effective secrets management:

Integrate a good secrets manager: Selecting and integrating a reputable secrets manager is a good first step to help organizations gain overall visibility into their secrets, allowing for better management and control over sensitive data.

Utilize mTLS (Mutual Transport Layer Security): When and where possible, use mTLS to establish secure, encrypted communication channels between clients and servers, further enhancing the security of API transactions. Remember to factor good hygiene and secrets management of these certificates into new workflows though!

Set short expiry periods for secrets: Always set short expiry periods for secrets when possible. This limits the time window during which a potentially stolen secret can be exploited if compromised.

Sign and verify all tokens: Ensure secrets are always signed and verified to confirm their authenticity and integrity, reducing the risk of unauthorized access or data tampering. This is a great area to use

Avoid plaintext storage or transmission of secrets: Never store or pass secrets in plaintext, as this leaves them susceptible to interception or unauthorized access. Instead, always encrypt secrets during storage and transmission.

We also recommend adding a clear additional factor to API authentication, such as Multi-Factor Authentication (MFA). As API usage grows, static secrets are harder to manage and more vulnerable to compromise. We all now recognize the challenges associated with static passwords for human users and have adopted MFA to mitigate the risks for nearly all accounts, especially sensitive ones. The challenge with this bearer model of authentication using simple API keys, tokens, and credentials is no different.

As the digital landscape continues to evolve, it is crucial to recognize that risk is predominantly shifting from human to machine and, even more so, to machine-to-machine interactions. This transformation calls for reevaluating existing security measures and implementing more effective API authentication and secrets hygiene.

Adhering to some of these best practices will enable organizations to significantly improve their API security posture, alleviate the concerns of DevSecOps teams, and better safeguard critical digital assets against ever-evolving threats.

Anusha Iyer is CEO and Co-Founder of Corsha
Share this

Industry News

March 18, 2024

Kubiya.ai announces the launch of its DevOps Digital Agents.

March 18, 2024

Aviatrix® introduced Aviatrix Distributed Cloud Firewall for Kubernetes, a distributed cloud networking and network security solution for containerized enterprise applications and workloads.

March 18, 2024

Stride announces the general availability of Stride Conductor, its new autonomous coding product that transforms the software development landscape.

March 14, 2024

CircleCI unveiled CircleCI releases, which enables developers to automate the release orchestration process directly from the CircleCI UI.

March 13, 2024

Fermyon™ Technologies announces Fermyon Platform for Kubernetes, a WebAssembly platform for Kubernetes.

March 13, 2024

Akuity announced a new offer targeted at Enterprises and businesses where security and compliance are key.

March 13, 2024

New Relic launched new capabilities for New Relic IAST (Interactive Application Security Testing), including proof-of-exploit reporting for application security testing.

March 12, 2024

OutSystems announced AI Agent Builder, a new solution in the OutSystems Developer Cloud platform that makes it easy for IT leaders to incorporate generative AI (GenAI) powered applications into their digital transformation strategy, as well as govern the use of AI to ensure standardization and security.

March 12, 2024

Mirantis announced significant updates to Lens Desktop that makes working with Kubernetes easier by simplifying operations, improving efficiency, and increasing productivity. Lens 2024 Early Access is now available to Lens users.

March 12, 2024

Codezero announced a $3.5 million seed-funding round led by Ballistic Ventures, the venture capital firm dedicated exclusively to funding entrepreneurs and innovations in cybersecurity.

March 11, 2024

Prismatic launched a code-native integration building experience.

March 07, 2024

Check Point® Software Technologies Ltd. announced its Check Point Infinity Platform has been ranked as the #1 Zero Trust Platform in the latest Miercom Zero Trust Platform Assessment.

March 07, 2024

Tricentis announced the launch and availability of SAP Test Automation by Tricentis as an SAP Solution Extension.

March 07, 2024

Netlify announced the general availability of the AI-enabled deploy assist.

March 07, 2024

DataStax announced a new integration with Airbyte that simplifies the process of building production-ready GenAI applications with structured and unstructured data.