SaTC: Risk-based Secure Checked-in Credential Reduction for Software Development

Abstract

Similar to human users, software relies heavily on the use of credentials, like passwords, to prove identity and rights to access resources. During software development, software engineers may need to share these software credentials, and operators who deploy the software will often need to distribute these credentials securely to servers. Engineers may take the path of least resistance which includes storing credentials -- keys, database connection strings, certificates, usernames and passwords -- in distributed version control systems used to manage software development. This type of storage makes accessing and distributing these credentials more convenient but also creates the very real hazard that they will be leaked to the public or to insider threats. This project will develop an understanding of how software engineers choose to manage credentials, and will develop techniques, tools, and datasets to better detect credential leaks and to prioritize credential removal based on the risks that disclosure of the credential would create. This project will include a mixed-methods investigation of the interplay of functional and security concerns on the software engineer's overall decision-making strategy for protecting or revealing credentials in software artifacts. This project will inform our approach to improve the ability of static analysis tools to detect more credentials with a lower false positive rate. Additionally, the project will identify the asset being protected by the credential, which will enable an automated or semi-automated risk estimation. Finally, the project will lead to the creation and evaluation of new techniques for securely storing and sharing secrets among project teams and in a system.