The “SaaS explosion” of our era has multiplied the risk of Secrets sprawl. Companies are using an unprecedented amount of cloud software applications, resulting in an unprecedented amount of APIs. To ensure secure communication between your applications and other services, it is necessary to provide access tokens (or “auth”). In addition, let’s not forget the other types of secrets across all of your software tools in the form of plaintext keys, connection strings, certificates, passwords and more, all of which are essential to your developers’ daily workflows.
When it comes to Secrets, no one thinks of Slack
The one tool you don’t think of when you hear about secrets sprawl is Slack. That’s too bad – because this will be the first place your developers use to share API access tokens between each other when they need to integrate a new app or service into their organization’s tech stack.
With whole workplaces moving to remote working after the pandemic disruption, Slack’s popularity has soared, and developers, like all employees, make the most of it by copy-pasting secrets in plain text format and sending them over through a direct message (or even worse, via a shared or public channel).
As a result, there is always the risk of passwords being left exposed in messages, accidentally shared in chat exports or screen sharing, or viewed by people joining channels or conversations temporarily. This risk is greater than you might think, especially in light of attacks on Slack in March 2015 and July 2022 that exposed usernames, email addresses, encrypted passwords, and other PII stored by the company, which in turn, made it easy for attackers to sign up for a given customer’s Slack workspace. Read more about how attackers targeted Slack here.
So Where Does Cycode Come In?
Cycode’s role as a software supply chain security leader includes securing developers’ working tools and environments. By monitoring direct messages to public and shared channels, including attachments (files) shared within those messages, Cycode can alert customers in real time about secrets exposed within their workspaces and tag all secrets detected in the history of those channels as ‘Found in Slack’, so security admins can easily identify them in Cycode platform.
Detect, Alert, and Remediate Secrets in Slack with Context
Assign and Notify The User That Shared The Secret
Define Trigger and Set Up Your Slack Security Workflow
Automate alerting and ticketing whenever a violation in Slack occurs. Keep Slack admins and relevant security champions informed.
To Wrap Up
According to estimates by GP Bullhound, the number of Slack’s monthly active users is expected to reach 79 million by 2025. Given the platform’s rapid growth, it’s no exaggeration to say that Slack has become a fundamental part of many corporate environments. In fact, you could argue that Slack has become yet another productivity tool that is integral to the software development process. Therefore, it should be considered part of the software supply chain and must be held to the same security standards as other tools by being regularly scanned for hardcoded secrets and other security issues.
Originally published: January 18, 2023