Getting popped is a business decision.
Over at our lovely Discord server, we have some great debates almost on a daily basis. And we don't talk exclusively about cybersecurity, mind you. We have this running joke about it being a hockey Discord. Or a philosophy Discord. Or even a Warhammer 40k Discord. We run the gamut. But one thing remains constant: our collective disdain for stupid decisions that lead to predictable outcomes.
Just the other day, we were talking about a research conducted by GitGuardian that fairly quickly found some 100,000 valid secrets that were hardcoded into DockerHub container images. Secrets for AWS accounts. GCP credentials. GitHub tokens. API keys. The works. And that was just from images pulled from DockerHub. There's no reason to think the results would be any different if the research was done on any other container image repository.
It is 2025, folks. By now, literally everyone knows that hardcoded credentials are a bad idea anywhere. If you don't know that, you should probably seek life elsewhere. We've been through this. We know the consequences of doing that. We have tools and procedures to prevent this from happening. Yet, here we are. There are two possible explanations for this:
- Lack of knowledge.
- Lack of care.
As we've established, I do not believe that, in this day and age, anyone can claim they did not know that hardcoding secrets is a bad idea. If you know enough to create a container image and push said image to DockerHub, you know this. We're left with lack of care, I'm afraid. And we also know that some people are just careless:
So, we know that being careless is a problem, and we know that people are careless even though they know that being careless is a problem. So much so that we need to keep reminding those folks to be careful constantly, via wartime posters or "security awareness training." And this, my friends, is where we fail as a profession: we need to account for that. Cybersecurity practitioners and—say it with me—cybersecurity leaders have got to accept the fact that some people are careless, and make sure that these people's actions or lack thereof cannot bring the whole house down.
A CISO who's worried about that kind of threat (every single CISO, ideally) should think about ways of making sure secrets don't end up in a container image. Or hardcoded in code pushed to GitHub. Or easily readable from firmware that's easily dumped. Even if that means manually inspecting every single commit until a better solution is found. And, trust me: there are better solutions out there. Here's the harsh reality: telling people not to do a given thing does not prevent people from doing said thing. Intentionally or otherwise.
After this, we discussed news that the popular API futzing (scientific term) tool Postman was logging your secrets left and right. Even when they said they wouldn't . It doesn't take a genius to realize that. The very instant you use Postman to craft an API query with a secret in one computer, and that query is available on another computer, you know that your queries are being stored somewhere that's not either of those computers. That's not inherently bad, but you need to know that it's happening. You need to stop for a second and think: "Hmmm. I am sending a bunch of secrets with my API calls to some third-party. Do I trust those guys to keep this data safe? Do I care about this data? Is using this particular software strictly necessary? What can possibly go wrong?" Congratulations! You just did a risk assessment from first principles.
What you see in action time and again, is the outsourcing of the thinking part of the process. When you, cybersecurity leader, outsource the thinking you should be doing, the thinking is no longer yours. It's someone else's. And that comes with all the wrong assumptions, all the biases, and all the consequences that you will have to face even though you didn't do the actual thinking. That's one reason why you keep spending millions of dollars on products that don't work. It's like buying a book without knowing how to read.
No product in the world will save you from yourself. You need to understand what you're trying to do before you do it. You need to know things, and you need to think about things in order to build a resilient foundation that can survive a developer forgetting to remove a secret from a piece of code. You need to be thoughtful and purposeful if you are to develop a cybersecurity program that's able to withstand some poor fella clicking on something they were not supposed to.
Even more critical than that: you need to figure out ways to let people do the right thing. You need to help them easily avoid common mistakes. You need to set them up for success, because their success is your success. You need to be a guide, not a gatekeeper.
At this juncture, the "we didn't know" or "we don't have the expertise" excuses do not fly anymore. If you don't know how to balance your books and comply with tax laws and regulations, you hire an accountant. If you don't know anything about labor regulations, running payroll or managing personnel, you get yourself a human resources professional. If you don't know anything about any law at all, you hire a lawyer. Don't know anything about cybersecurity? You know what to do. That's the price of doing business right now.
The cybersecurity industry has many problems, but we do have solutions for a lot of common problems. These solutions are tried and true. They work. They are available right now. You really don't have to be a victim of ransomware if you don't want to. You really don't have to let your credentials end up on GitHub if you don't want to. You really don't have to lose sleep over people clicking the wrong link if you don't want to. You just have to want to. A lot of other things can happen, but you will have plenty of time to think about it when the problems that are already solved are no longer a problem for you.
Want to shoot the breeze and talk about cybersecurity? Or economics? Or the Silmarillion? Maybe you want to make fun of the Toronto Maple Leafs? Or help us launch a company? Do join our discord. I can't guarantee that we know what we're talking about, but I guarantee it is fun!
P.S.: We will return with our "Host Your Stuff" series very shortly! Thanks for the patience, and for your continued support of the Institute. Onward!
