In a mixed-methods study with 109 survey respondents and 14 interview participants,
we investigate how developers handle secret information in source code repositories.
We found, that 30.3% of our participants encountered code secret leaks in the past.
Most of them face several challenges with secret leakage prevention and remediation.
Based on our findings, we discuss challenges, such as estimating the risks of leaked secrets,
and the needs of developers in remediating and preventing code secret leaks, such as low adoption requirements.
Publication #
Alexander Krause, Jan H. Klemmer, Nicolas Huaman, Dominik Wermke, Yasemin Acar and Sascha Fahl.
32nd USENIX Security Symposium, USENIX Security '23, Anaheim, CA, USA, August 9-11, 2023 (USENIX Security 23), August 9-11, 2023.
Abstract
Version control systems for source code, such as Git, are key
tools in modern software development. Many developers use
services like GitHub or GitLab for collaborative software development. Many software projects include code secrets such
as API keys or passwords that need to be managed securely.
Previous research and blog posts found that developers struggle with secure code secret management and accidentally
leaked code secrets to public Git repositories. Leaking code
secrets to the public can have disastrous consequences, such
as abusing services and systems or making sensitive user data
available to attackers. In a mixed-methods study, we surveyed
109 developers with version control system experience. Additionally, we conducted 14 in-depth semi-structured interviews
with developers who experienced secret leakage in the past.
30.3% of our participants encountered code secret leaks in the
past. Most of them face several challenges with secret leakage
prevention and remediation. Based on our findings, we discuss challenges, such as estimating the risks of leaked secrets,
and the needs of developers in remediating and preventing code secret leaks, such as low adoption requirements. We conclude with recommendations for developers and source code platform providers to reduce the risk of secret leakage.
Acknowledgements #
We want to thank all survey participants and interviewees for supporting our research. Furthermore, we thank the anonymous reviewers and our shepherd for their constructive feedback. This research was funded in part by the VolkswagenStiftung Niedersächsisches Vorab – ZN3695, the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany’s Excellence Strategy – EXC 2092 CASA – 390781972, and NSF grants CNS-2206865 and CNS-2207008. Any findings and opinions expressed in this material are those of the authors and do not necessarily reflect the views of the funding agencies.
Artifacts #
In line with the effort to support replication of our work and help other researchers build upon it, we provide a replication package at https://doi.org/10.25835/xfc2h3pg. The replication package contains the following artifacts:
Survey
- consentForm.html - Consent Forms
- upwork_recruitment_material.md - Upwork Recruiting Material
- github_invite_mail.md - GitHub Recruiting Email
- survey.md">Survey - Questionaire
- survey-matrix.png - Survey - Questianre - Q10 Matrix
- codebook.md - Codebook
Interviews
- consentForm.html - Consent Form
- pre-survey.md - Interview Pre-Survey
- Interview_Guide.pdf - Interview Guide
- codebook.txt - Codebook
- invite_mail.md - GitHub Recruiting Email
Additional Sections
- background.md - Background Section Markdown
Cite This Work #
@inproceedings{conf/usenix/krause23,
title = {Pushed by Accident: A Mixed-Methods Study on Strategies of Handling Secret Information in Source Code Repositories},
author = {Alexander Krause and
Jan H. Klemmer and
Nicolas Huaman and
Dominik Wermke and
Yasemin Acar and
Sascha Fahl},
booktitle = {In 32nd {USENIX} Security Symposium, {USENIX} Security '23, Anaheim, CA, USA, August 9-11, 2023},
month = {Aug},
year = {2023},
publisher = {USENIX Association},
url = {https://www.usenix.org/conference/usenixsecurity23/presentation/krause},
}