Plaintext credentials, aka secrets, are one of the most dangerous things in your environments. Each year GitGuardian releases our State of Secrets Sprawl report, finding 12.8 million hardcoded secrets in public repos on GitHub alone!

The problem of our API keys, passwords, and other credentials making it into our code, and other places like our logs, Jira, and Slack, is getting worse, not better.

To make the matter even more serious, a full 27% of IT leaders we surveyed said they are relying on manual code reviews to address this issue.

If you have never tried to identify all the keys and passwords in a codebase or message system, here is your chance to see what that feels like and get the chance to see what a difference the right tool makes to the process.

What you will need:

• 1 deck of Spot the Secrets cards: 65 commits, 15 log files, 10 Jira tickets, 10 Slack messages
• 1 UV flashlight
• This instruction booklet
• A stopwatch (like the one on your phone)
• A way to record your time (paper, a note app, etc)

Get Ready To Fight Secrets Sprawl!

Plaintext credentials, aka secrets, are lurking throughout your environment. Your mission is to manually find any secrets that would grant access to another system or decrypt data. You will be timing yourself as you go.

Be careful, though; each false positive or false negative will add penalty time.

The Spot the Secrets exercise is divided into three rounds.

Round 1: Manually reviewing the code base.

Round 2: Find the secrets in logs, Jira, and Slack.

Round 3: Identify the false positives and false negatives.

Beginning layout:

All blue Commit cards should be placed face-down in front of the player, and the stopwatch should be reset. All other cards and the UV flashlights should be placed out of the way.

Round 1: Review All The Commits

Congratulations, you have been selected for the important mission of finding all the secrets in the current codebase. You have been assigned a portion of the most recent commits to search through. We are looking through each commit instead of the whole codebase, as secrets can linger in older commits even if the secret is removed in a subsequent commit. Get your timer ready…

When ready, start the timer.

The player examines each Commit card.

If the card contains a secret, place it face-up above the unexamined commits.

Any cards without a secret should be placed face-up below the unexamined commits.

When each card has been evaluated, pause the timer but do not reset it.

Move the cards to the side, taking care to keep the face-up secrets and no-secrets piles separate.

Round 2: Finding Secrets Everywhere

Oh no! An attacker has gained access to our environments. We now need you to find any secrets in the log files, Jira comments, and Slack messages. Finding plaintext credentials is one of the easiest ways for an intruder to laterally move to increase their footprint.

Place the Log, Jira, and Slack cards in front of the player, face-down in three Stacks.

When ready, restart the stopwatch (adding on to the previous time).

The player will go through each card pile and, as in round one, place any cards with a secret face up above the face-down pile.

Any cards with no secret should be placed face-up below the face-down pile.

Stop the timer and write down your time after each card has been evaluated.

Round 3: Leveraging The Right Tool

By now, you must be thinking, "There must be an easier way to do this." Good news: There is! For this exercise, you will use your UV flashlight to expose hidden markings on some of the cards. There is no need to time yourself on this round; we just want to see how many you got right.

Using the UV flashlight, illuminate the face-up cards starting with the ones you believe contain a secret.

If a secret is present, the card will reveal "S" markings and some will reveal "V" markings as well, which are invisible in regular light.

If a card in your 'secrets' piles contains an S marking, congratulations, you correctly identified a secret! As you might have guessed, S stands for "Secret."

V stands for "Valid Secret," meaning if an attacker would have found this plaintext credential, they could have used it!

While you are examining each secret, we encourage you to think about how you would have validated it without the tool.

If a card in your secrets pile contains no markings, that is a false positive.

If a card in your no-secrets piles contains an S or V marking under UV light, it is a false negative.

Add up the total number of false positives and false negatives.

Your final time:

Add 10 seconds to your total time from the first two rounds for each false positive and false negative.

For example: If your time from the first two rounds was 5:05 (five minutes and five seconds), with 10 total false positives or negatives, your final time would be adjusted to 5:55

Ask yourself:

How long did it take to identify the false positives and negatives?

How would you have manually determined if a secret was valid?

Wouldn't this be easier if you had used the flashlight from the start?

Yes, you can use a tool in the real world.

In the real world, the GitGuardian Secrets Detection Platform can help you find plaintext credentials even faster and easier than the flashlight! Get started today at gitguardian.com