Write a Blog >>
ICSE 2023
Sun 14 - Sat 20 May 2023 Melbourne, Australia
Thu 18 May 2023 14:30 - 14:45 at Meeting Room 106 - SE for security 2 Chair(s): Cristian Cadar

Throughout 2021, GitGuardian’s monitoring of public GitHub repositories revealed a two-fold increase in the number of secrets (database credentials, API keys, and other credentials) exposed compared to 2020, accumulating more than six million secrets. To our knowledge, the challenges developers face to avoid checked-in secrets are not yet characterized. The goal of our paper is to aid researchers and tool developers in understanding and prioritizing opportunities for future research and tool automation for mitigating checked-in secrets through an empirical investigation of challenges and solutions related to checked-in secrets. We extract 779 questions related to checked-in secrets on Stack Exchange and apply qualitative analysis to determine the challenges and the solutions posed by others for each of the challenges. We identify 27 challenges and 13 solutions. The four most common challenges, in ranked order, are: (i) store/version of secrets during deployment; (ii) store/version of secrets in source code; (iii) ignore/hide of secrets in source code; and (iv) sanitize VCS history. The three most common solutions, in ranked order, are: (i) move secrets out of source code/version control and use template config file; (ii) secret management in deployment; and (iii) use local environment variables. Our findings indicate that the same solution has been mentioned to mitigate multiple challenges. However, our findings also identify an increasing trend in questions lacking accepted solutions substantiating the need for future research and tool automation on managing secrets.

Thu 18 May

Displayed time zone: Hobart change

13:45 - 15:15
SE for security 2Technical Track / Journal-First Papers at Meeting Room 106
Chair(s): Cristian Cadar Imperial College London, UK
13:45
15m
Talk
SLR: From Saltzer & Schoeder to 2021…
Journal-First Papers
Nikhil Patnaik University of Bristol, Andrew C Dwyer University of Durham, Joseph Hallett , Awais Rashid University of Bristol, UK
14:00
15m
Talk
On-Demand Security Requirements Synthesis with Relational Generative Adversarial Networks (RelGAN)
Technical Track
Viktoria Koscinski Rochester Institute of Technology, Sara Hashemi Rochester Institute of Technology, Mehdi Mirakhorli Rochester Institute of Technology
14:15
15m
Talk
Measuring Secure Coding Practice and Culture: A Finger Pointing at the Moon is not the Moon
Technical Track
Ita Ryan University College Cork, Utz Roedig University College Cork, Klaas-Jan Stol Lero; University College Cork; SINTEF Digital
Pre-print
14:30
15m
Talk
What Challenges Do Developers Face About Checked-in Secrets in Software Artifacts?
Technical Track
Setu Kumar Basak North Carolina State University, Lorenzo Neil North Carolina State University, Bradley Reaves North Carolina State University, Laurie Williams North Carolina State University
Pre-print
14:45
15m
Talk
Lejacon: A Lightweight and Efficient Approach to Java Confidential Computing on SGXDistinguished Paper Award
Technical Track
Xinyuan Miao Shanghai Jiao Tong University, Ziyi Lin Alibaba Group, Shaojun Wang Alibaba Group, Lei Yu Alibaba Group, Sanhong Li Alibaba Inc., Zihan Wang Shanghai Jiao Tong University, Pengbo Nie Shanghai Jiao Tong University, Yuting Chen Shanghai Jiao Tong University, Beijun Shen Shanghai Jiao Tong University, He Jiang Dalian University of Technology
Pre-print
15:00
15m
Talk
Keyword Extraction From Specification Documents for Planning Security Mechanisms
Technical Track
Jeffy Jahfar Poozhithara Apple Inc. and University of Washington Bothell, Hazeline Asuncion University of Washington Bothell, Brent Lagesse University of Washington Bothell
Pre-print