Profile Applicability:
Level 1
Description:
Automated scanning tools must be deployed to continuously analyze code repositories for the presence of sensitive data such as passwords, API keys, personal identifiable information (PII), and cryptographic secrets. These scanners help identify and prevent the inclusion of sensitive data in source code, reducing risk of data exposure.
Rationale:
Detecting sensitive data early in the development lifecycle prevents accidental leaks, enforces security best practices, and ensures compliance with data protection regulations. It reduces the likelihood of security incidents related to exposed credentials or confidential information.
Impact:
Pros:
Proactively identifies sensitive data before deployment.
Minimizes risk of data breaches and leaks.
Supports regulatory compliance and audit readiness.
Encourages secure coding practices.
Cons:
May generate false positives requiring manual review.
Requires integration and maintenance of scanning tools.
Default value:
Many organizations do not consistently scan code for sensitive data, increasing exposure risk.
Audit:
Review scan logs and reports for detection of sensitive data. Verify remediation of identified issues. Confirm scanning tools are active on all relevant repositories.
Remediation:
Deploy automated scanning tools (e.g., GitGuardian, TruffleHog, or built-in CI/CD scanners) integrated into the development workflow. Establish policies for handling and remediating detected sensitive data. Train developers on secure coding and data handling.
References: