Secrets Management: The Weak Link of API Security
May 22, 2023

Anusha Iyer

As organizations increasingly rely on APIs to streamline their operations and drive innovation, the need to securely authenticate across these critical communication channels is more important and complex than ever. The Corsha State of API Secrets Report 2023 highlights the need for better tools, technologies, and tradecraft around API secrets to help DevSecOps professionals who feel overwhelmed by the amount of time they must dedicate to API security and worried that their organizations remain vulnerable to breaches.

The Prime Culprit: Leaked API Secrets

API secrets leaks have been the driving force behind several recent high-profile security breaches, including Twitter, Dropbox, and Uber incidents. These breaches emphasize the importance of securing API secrets and the potential consequences organizations face if they do not.

One red flag uncovered by the report is the high prevalence of data breaches due to compromised API tokens. Over half (53%) of respondents have experienced a data breach with unauthorized access to their networks or apps due to compromised API tokens. This statistic underscores the need for improved API secrets management practices.

The report also found that although 72% of respondents use a secrets manager to handle their API secrets, more than half (56%) worry about potential data breaches. This suggests that simply using a secrets manager feels inadequate to ensure robust security.

The survey also reveals how much manual time professionals spend daily on secrets management. 86% of respondents spend up to 15 hours a week provisioning, managing, and dealing with secrets. This considerable time investment emphasizes the complexity and burden of API secrets management and underscores the need for more efficient and ideally automated practices around operations like secrets provisioning and rotation. After all, the tradeoff between security versus time and convenience is often solved by automation.

Inadequate Defenses

Clearly, API secrets leaks are a significant concern for DevSecOps teams and security personnel, despite the adoption of secrets managers. The report highlights that the current defenses in place for API secrets management fall short in multiple areas:

Inadequate secrets management policies: Many organizations lack comprehensive policies for handling API secrets, contributing to the persistence of security vulnerabilities.

Securing multi-cloud environments: With 44% of respondents hosting their API services across multiple clouds, managing secrets becomes even more complex as organizations must contend with varying security policies and mechanisms for each cloud provider.

Managing too many credentials: 78% of respondents reported managing at least 250 API tokens, keys, or certificates across their networks. With such a high volume of credentials to manage, scaling security strategies for API-based communication becomes increasingly difficult.

Thwarting insider threat: Granting all-or-nothing access to systems and service accounts is a common practice among more than 42% of respondents, which exacerbates the risks associated with insider threat. This approach fails to implement the principle of least privilege, which is crucial for minimizing the potential damage caused by compromised credentials or malicious insiders.

Poor visibility: More than 50% of respondents have little to no visibility into the machines, devices, or services (API clients) that utilize the API tokens, keys, and certificates that their organization provisions. This lack of visibility hampers organizations' abilities to detect and respond to potential security incidents.

Implementing Effective Secrets Management

The inadequacy of current defenses highlights the urgent need for organizations to adopt more robust and comprehensive approaches to API secrets management by embracing these five core tenets of effective secrets management:

Integrate a good secrets manager: Selecting and integrating a reputable secrets manager is a good first step to help organizations gain overall visibility into their secrets, allowing for better management and control over sensitive data.

Utilize mTLS (Mutual Transport Layer Security): When and where possible, use mTLS to establish secure, encrypted communication channels between clients and servers, further enhancing the security of API transactions. Remember to factor good hygiene and secrets management of these certificates into new workflows though!

Set short expiry periods for secrets: Always set short expiry periods for secrets when possible. This limits the time window during which a potentially stolen secret can be exploited if compromised.

Sign and verify all tokens: Ensure secrets are always signed and verified to confirm their authenticity and integrity, reducing the risk of unauthorized access or data tampering. This is a great area to use

Avoid plaintext storage or transmission of secrets: Never store or pass secrets in plaintext, as this leaves them susceptible to interception or unauthorized access. Instead, always encrypt secrets during storage and transmission.

We also recommend adding a clear additional factor to API authentication, such as Multi-Factor Authentication (MFA). As API usage grows, static secrets are harder to manage and more vulnerable to compromise. We all now recognize the challenges associated with static passwords for human users and have adopted MFA to mitigate the risks for nearly all accounts, especially sensitive ones. The challenge with this bearer model of authentication using simple API keys, tokens, and credentials is no different.

As the digital landscape continues to evolve, it is crucial to recognize that risk is predominantly shifting from human to machine and, even more so, to machine-to-machine interactions. This transformation calls for reevaluating existing security measures and implementing more effective API authentication and secrets hygiene.

Adhering to some of these best practices will enable organizations to significantly improve their API security posture, alleviate the concerns of DevSecOps teams, and better safeguard critical digital assets against ever-evolving threats.

Anusha Iyer is CEO and Co-Founder of Corsha
Share this

Industry News

June 25, 2024

JFrog has entered into a definitive agreement to acquire Qwak AI Ltd., creator of an AI and MLOps platform.

June 25, 2024

OutSystems announced that OutSystems Developer Cloud (ODC) has achieved SOC 2 attestation, a requirement of organizations deploying mission-critical systems and applications that manage sensitive personal data.

June 25, 2024

Bitwarden announced public beta availability for integrating Bitwarden Secrets Manager into Kubernetes workflows for developers and DevOps teams.

June 25, 2024

GitLab achieved “In Process” designation at the Moderate impact level from the Federal Risk and Authorization Management Program (FedRAMP).

June 24, 2024

Grid Dynamics announced its AI for Developer Productivity Toolkit.

June 24, 2024

Multiplayer, a collaborative developer platform for teams who work on distributed software, officially announced its General Availability.

June 24, 2024

DataStax announced major updates to its Generative AI development platform that help make retrieval augmented generation (RAG) powered application development 100X faster.

June 24, 2024

Kobiton announced that its mobile app testing platform now supports the beta version of iOS 18.

June 20, 2024

Oracle announced new application development capabilities to enable developers to rapidly build and deploy applications on Oracle Cloud Infrastructure (OCI).

June 20, 2024

SUSE® announced new capabilities across its Linux, cloud native, and edge portfolio of enterprise infrastructure solutions to help unlock the infinite potential of open source in enterprises.

June 20, 2024

Redgate Software announced the acquisition of DB-Engines, an independent source of objective data in the database management systems market.

June 18, 2024

Parasoft has achieved "Awardable" status through the Chief Digital and Artificial Intelligence Office's (CDAO) Tradewinds Solutions Marketplace.

June 18, 2024

SmartBear launched two innovations that fundamentally change how both API and functional tests are performed, integrating SmartBear HaloAI, trusted AI-driven technology, and marking a significant step forward in the company's AI strategy.

June 18, 2024

Datadog announced the general availability of Datadog App Builder, a low-code development tool that helps teams rapidly create self-service applications and integrate them securely into their monitoring stacks.

June 17, 2024

Netlify announced a new Adobe Experience Manager integration to ease the transition from legacy web architecture to composable architecture.