Reversing Labs, the leader in software supply chain security, today unveiled new secrets detection features within its Software Supply Chain Security (SSCS) platform. Reversing Labs is the first solution of its kind to improve secrets detection coverage by providing teams with the context and transparency needed to prioritize developer’s remediation efforts, reduce manual triage fatigue and improve security controls for preventing leakage.
“These new capabilities underscore Reversing Labs commitment to address growing software supply chain complexity and increasingly sophisticated threats. Our comprehensive solution enables teams to securely control the release of software via the detection of software supply chain threats, malware, malicious behaviors, tampering and secrets exposures,” said Mario Vuksan, CEO and Co-founder of Reversing Labs. “Supply chain risks demand evolved application security capabilities that confront the full spectrum of challenges introduced by open source- and third party components, commercial software, and binary misconfigurations. Our SSCS platform goes beyond existing solutions that only provide open-source licensing compliance and vulnerability detection or analyze source code quality for vulnerabilities to fill in the gaps they leave behind.
The Risk of Secrets
Complex software today includes components that rely on digital authentication credentials commonly referred to as secrets, which include tools such as login credentials, API tokens, and encryption keys. While critical for the software to function, managing secrets across every component of code, Software Development Life Cycle (SDLC), or Continuous Integration and Continuous Delivery (CI/CD) stages is a challenge that can result in secrets being left exposed. Potential exposure can stem from the use of plain text, weak cryptography, build scripts including directories with secrets configuration files, CI/CD or packaging automation mistakes and inclusion by compromised developer accounts or malicious insiders.
“Exposed secrets included in software release packages leave businesses vulnerable to a software supply chain breach. Look no further than the CircleCI and CodeCov incidents,” added Vuksan. “With these new secrets capabilities, we are giving software publishers something other available offerings don’t. That’s better visibility into their supply chain risks with specific capabilities for secrets detection and management.”
Detect and Remediate Secrets Exposure
Current secrets detection tools fall short because they are unable to remove false positives, itemize all secrets in builds or provide actionable results. As a result, many developers bypass discovered features rather than triage and fix them. These offerings also cannot determine which secrets have already been exposed, when to underscore the level of risk or to automatically suppress third party secrets and other false positive results that are not actionable. ReversingLabs new capabilities give developers the visibility and confidence they need to prioritize detected secrets and issue actionable warnings to developers that help provide immediate resolution.
ReversingLabs Software Supply Chain Security solution can identify more than 250 secret-types out of the box, including private keys, version control, certs, tokens, and more. Once identified, its transparent detection capabilities allow teams to view discovered secrets for immediate true positive confirmation, determine its precise location, which services are affected, and if those secrets are exposed or leaked elsewhere. The solution prioritizes all remediation efforts by suppressing third party, open-source, testing keys, and other commonly shared secrets while reducing the fatigue that results from manual triage.
ReversingLabs secrets capabilities include superior detection coverage and contextual prioritization, “just in time” secrets management, canary token management and custom detection policies. Additionally, ReversingLabs provides publicly available guidance for sensitive information policies, including documentation of public exposures and secrets breakdown by service for web service access credentials, web service access tokens, web service API keys and webhook service access keys.