OWASP, the Open Web Application Security Project foundation that works to improve the security of software, lists hardcoded secrets as one of its famous list of the Top 10 Web Application Security Risks. The vulnerability ranked #2 in the latest edition published in 2021, under the Cryptographic Failures (A02:2021) entry.
MITRE, famous for its ATT&CK knowledge base of adversary tactics and techniques, also lists the use of hardcoded credentials in its CWE Top 25 Most Dangerous Software Weaknesses. The vulnerability ranked #15 in the 2022 edition, under CWE-798 – Use of Hard-coded Credentials.
Hardcoded secrets is a unique vulnerability in source code when compared to other vulnerabilities found through static or dynamic analysis. Regardless of whether the code is compiled and in runtime or not, hardcoded secrets represent a risk in themselves. Attackers who gain initial access to a repository can traverse all its branches and commit history to look for valid secrets. It does not matter if a secret is found on the deployed main branch or a short-lived bugfix branch, as long as it is valid and gives access to a resource (e.g. a server, a database, a third-party API).
Developers write code with the best of intentions, but they still end up compromising credentials and sensitive data. With 6 million secrets exposed on public GitHub in 2021 and a lot more in the private repositories, our research in the State of Secrets Sprawl 2022 report shows that this problem is much more common than developers and security engineers think.