February 2025
·
1 Read
Since 2020, GitGuardian has been detecting checked-in hard-coded secrets in GitHub repositories. During 2020-2023, GitGuardian has observed an upward annual trend and a four-fold increase in hard-coded secrets, with 12.8 million exposed in 2023. However, removing all the secrets from software artifacts is not feasible due to time constraints and technical challenges. Additionally, the security risks of the secrets are not equal, protecting assets ranging from obsolete databases to sensitive medical data. Thus, secret removal should be prioritized by security risk reduction, which existing secret detection tools do not support. The goal of this research is to aid software practitioners in prioritizing secrets removal efforts through our security risk-based tool. We present RiskHarvester, a risk-based tool to compute a security risk score based on the value of the asset and ease of attack on a database. We calculated the value of asset by identifying the sensitive data categories present in a database from the database keywords in the source code. We utilized data flow analysis, SQL, and ORM parsing to identify the database keywords. To calculate the ease of attack, we utilized passive network analysis to retrieve the database host information. To evaluate RiskHarvester, we curated RiskBench, a benchmark of 1,791 database secret-asset pairs with sensitive data categories and host information manually retrieved from 188 GitHub repositories. RiskHarvester demonstrates precision of (95%) and recall (90%) in detecting database keywords for the value of asset and precision of (96%) and recall (94%) in detecting valid hosts for ease of attack. Finally, we conducted a survey (52 respondents) to understand whether developers prioritize secret removal based on security risk score. We found that 86% of the developers prioritized the secrets for removal with descending security risk scores.
![Figure 7: Calls received by RRAPTOR signed with STIR/SHAKEN in 2024 (normalized by total calls per day) 5.1.2. Role of Honeypots in Characterizing Robocalls. Honeypots serve as valuable vantage points to study robocalls. We discuss and quantify the impact of adding interactivity to honeypots and how that can improve our visibility into the robocalling ecosystem. Finding 4: Large-scale and long-running honeypots are reliable vantage points to measure broader robocalling phenomena. To study the extent to which honeypots can be used to measure broader phenomena within the robocalling landscape, we compare two phenomena inherent to the robocalling ecosystem. Namely, fraction of unsolicited phone calls signed with STIR/SHAKEN and distribution of languages used by robocalling campaigns. The fraction of unsolicited phone calls signed with STIR/SHAKEN is consistent across three distinct vantage points -RRAPTOR, Robocall Observatory and independent industry reports. As seen in Figure 7 and Figure 8, the fraction of signed calls is about 80% across both honeypots as of May 2024, while following a similar trend throughout 2024. Furthermore, Aattested calls are the most common, with C-attested calls being the second most while B-attested calls were the third most common category. Finally, in both honeypots, the largest fraction of robocall campaigns use English. Spanish and Mandarin are the second and third most common languages, respectively. By comparing the signing rates and language distribution, we find that broader phenomena measured using Robocall Observatory and RRAPTOR as two different vantage points are consistent. This demonstrates that honeypots operating at the scale of Robocall Observatory and RRAPTOR are reliable sources of data for measuring broader robocalling phenomena. They can independently report and provide valuable insights into the robocalling ecosystem. Honeypots can differ in their operational characteristics by being more or less interactive, as described in Section 2 [32]. However, developing, deploying and operating an interactive honeypot (versus a non-interactive honeypot) is substantially more challenging. It requires well-timed interactive prompts, more computational resources, and nontrivial design overhaul to detect and play audio in near-real time. Such fundamental changes to a honeypot's design is not justified if it yields only marginal benefits.](https://www.researchgate.net/publication/385177337/figure/fig3/AS:11431281285431657@1729739821328/Calls-received-by-RRAPTOR-signed-with-STIR-SHAKEN-in-2024-normalized-by-total-calls-per_Q320.jpg)
