Notifications
Clear all
Topic starter
25/06/2026 5:15 pm
TL;DR: Retailers face holiday-season outages and exposure when credentials, API tokens, and certificates fail under load, with the article citing GitGuardian’s 23.7 million new hardcoded secrets on GitHub in 2024 and IBM’s $4.81 million average cost for compromised credentials. The governance gap is structural: identity programmes still assume secrets can be managed manually at the speed of peak commerce.
NHIMG editorial — based on content published by Akeyless: retail secrets management for peak season resilience
By the numbers:
- 23.7 million new hardcoded secrets on GitHub in 2024
Questions worth separating out
Q: How should security teams manage secrets during retail peak season?
A: Treat secret management as a business continuity control, not just an AppSec task.
Q: Why do hardcoded secrets become such a serious risk in retail environments?
A: Hardcoded secrets spread quickly through code, configuration, and pipelines, which makes them difficult to find and revoke once released.
Q: What breaks when just-in-time access is not used for seasonal staff and services?
A: Standing access expands blast radius and makes it harder to contain a compromise or accidental misuse.
Practitioner guidance
- Automate certificate renewal and secret rotation before peak traffic Remove manual renewal steps for database credentials, API tokens, and TLS certificates.
- Block hardcoded secrets at commit and build time Scan source code, configuration files, and CI/CD output for exposed credentials, and fail the pipeline when secrets appear outside approved vault paths.
- Map ownership for every secret across retail systems Assign a named owner for each credential, token, and certificate across stores, APIs, legacy apps, and cloud services.
What's in the full article
Akeyless's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step retail secrets readiness checklist for rotations, renewals, and expiry testing
- Practical guidance for local secret caching at the edge without weakening read-only controls
- Implementation detail on just-in-time access for seasonal workers, shared accounts, and APIs
- Akeyless's own platform guidance for unifying secrets, keys, and certificates across retail environments
👉 Read Akeyless's analysis of retail secrets management for peak season resilience →
Retail secrets management: are your controls ready for peak season?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
25/06/2026 5:50 pm
Retail outage risk is now a secrets governance problem, not a server resilience problem. The article correctly frames the hidden dependency chain behind holiday commerce: credentials, tokens, and certificates are what keep systems talking to each other. That means identity teams have to treat secret lifecycle failure as a business continuity issue, not a narrow AppSec concern. The operational conclusion is that peak-season resilience starts with governance of machine trust, not only infrastructure scaling.
A few things that frame the scale:
- 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded, according to The State of Secrets Sprawl 2026.
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, according to The State of Secrets Sprawl 2026.
A question worth separating out:
Q: Who should own retail secrets governance when payments, APIs, and stores all depend on it?
A: Ownership should sit with the team accountable for the business process the secret enables, not with a generic platform group alone. If no named owner exists for a credential, token, or certificate, revocation, renewal, and incident response will all slow down when it matters most.
👉 Read our full editorial: Retail identity security depends on secrets management, not uptime alone
