The State of Secrets in AppSec

GitGuardian

GitGuardian - The State of Secrets in AppSec

Today, in partnership with CyberArk, GitGuardian releases its comprehensive study on the state of secrets in application security. Based on insights from 1,000 IT decision-makers across the US, UK, Germany, and France, the "Voice of Practitioners 2024" report reveals critical findings about secrets sprawl, security practices, and emerging threats in large enterprises.

  • How organizations are allocating their security budgets

  • The true cost and impact of secrets leaks

  • Emerging threats from AI and supply chain vulnerabilities

  • Benchmarks for secrets management maturity

Key Findings At a Glance

The study reveals a concerning trend: 79% of organizations reported experiencing secrets leaks – an increase from 75% in the previous year. More alarming still, 77% of these incidents resulted in tangible damage to either the company, its employees, or both.

This comes against a backdrop of unprecedented risk, with breaches affecting some of the largest companies made easier by the proliferation of credential leaks across the digital domain.

Investment in Security is Growing

Organizations are responding to these challenges with substantial resource allocation. On average, companies are dedicating 32.4% of their security budgets to secrets management and code security, with significant regional variations:

Have you ever been impacted by or heard of secrets leaking within your organisations
Have you ever been impacted by or heard of secrets leaking within your organisations
What percentage of your application security budget is allocated specifically to secrets management
What percentage of your application security budget is allocated specifically to secrets management
  • US organizations lead with 40.8% of security budgets

  • UK organizations follow at 35.8%

  • German and French organizations trail at 27.6% and 25.2% respectively

Also, 77% of respondents said they are currently investing in or planning to invest in secrets management tools by 2025, with 75% focusing on secrets detection and remediation tools.

The Confidence Gap

Despite heightened awareness and investment, a concerning gap exists between confidence and reality:

  • 75% of respondents express strong confidence in their secrets management capabilities

  • However, the average estimated time to remediate a leaked secret stands at 27 days

  • Only 44% of developers are reported to follow security best practices

  • Organizations maintain an average of 6 distinct secrets manager instances

What % of your developers are aware and follow of best practices for secrets management
What % of your developers are aware and follow of best practices for secrets management

Emerging Threats: AI and Supply Chain Risks

The landscape of threats continues to evolve:

  • 43% of concerned respondents highlight risks of AI systems learning and reproducing sensitive information patterns

  • 32% identified hardcoded secrets as a key risk point within their software supply chain

  • 40% cite third-party or nation-state attacks as their primary supply chain security concern

Looking Ahead

While the percentage of organizations relying on inadequate manual reviews has decreased from 27% in 2023 to 23.3% in 2024, significant challenges remain. The full report provides detailed insights into how organizations can:

  • Balance rapid innovation with systematic security practices

  • Foster a culture of shared responsibility

  • Automate critical security processes

  • Address the fundamental challenge of secrets sprawl