Code in an organization's software supply chain contains secrets, including personally identifiable information (PII), passwords and other sensitive enterprise data.

Whether stored in a public or private code repository, hackers can target enterprise secrets and find PII and other organizational secrets. One of the most common risks and the source of some high-profile cloud-native application cyberattacks is the use of secrets in code across the software supply chain.

Exposed secrets found in public and private repositories

The “Secrets Insights Across the Software Supply Chain'' report from Apiiro analyzed over 25,000 repositories ranging from small to large organizations to discover the state of secrets in today's code.

The report found that 50% of all secrets in private repositories are exposed secrets that are immediately accessible once an attacker has gained access to a network.

Out of all secrets detected by the report, 38% are in repositories with PII. What's more, 42% of all exposed secrets are plain text passwords.

The mean time to remediation (MTTR) once these vulnerabilities are discovered is 90 days, indicating secrets are lurking in the source code repositories for months before removal and are leaving potentially sensitive data exposed.

For more report insights, click here.