Version control systems for source code, such as Git, are key tools in modern software development environments. Many developers use online services, such as GitHub or GitLab, for collaborative software development. While software projects often require code secrets to work, such as API keys or passwords, they need to be handled securely within the project. Previous research and news articles have illustrated that developers are blameworthy of committing code secrets, such as private encryption keys, passwords, or API keys, accidentally to public source code repositories. However, making secrets publicly available might have disastrous consequences, such as leaving systems vulnerable to attacks. In a mixed-methods study, we surveyed 109 developers and conducted 14 in-depth semi-structured interviews with developers which experienced secret leakage in the past. We find that 30.3% of our participants have encountered secret leakage in the past, and that developers are facing several challenges with secret leakage prevention and remediation. Based on our findings, we discuss challenges, e. g., estimating risks of leaked secrets, and needs of developers in remediating and preventing code secret leaks, e. g., low adoption requirements. We also give recommendations for developers and source code platform providers to reduce the risk of secret leakage.
翻译:诸如 Git 等源代码的版本控制系统是现代软件开发环境中的关键工具。 许多开发商使用GitHub 或 GitLab 等在线服务,如 GitHub 或 GitLab 来合作开发软件。 虽然软件项目通常需要代码秘密才能工作,例如 API 键或密码,但它们需要安全地在项目内处理。 先前的研究和新闻文章表明,开发商被指控犯有代码秘密,例如私人加密钥匙、密码或API 键,不小心落入公共源代码库。 然而,公开提供秘密可能会产生灾难性的后果,例如使系统易受攻击。在一项混合方法研究中,我们调查了109个开发商,与过去曾经历秘密泄漏的开发商进行了14次深入的半结构性访谈。我们发现,30.3%的参与者在过去曾遇到秘密泄漏,而开发商在秘密泄漏的预防和补救方面面临若干挑战。 根据我们的调查结果,我们讨论了挑战,例如,估计泄漏秘密的风险,以及开发商在补救和防止代码泄漏方面的需求。例如,我们向开发商提出建议,用于源代码源代码源代码泄漏。