usenixsecurity23-krause.pdf (578.96 kB)

Pushed by Accident: A Mixed-Methods Study on Strategies of Handling Secret Information in Source Code Repositories.

Download (578.96 kB)
conference contribution
posted on 2024-04-24, 13:05 authored by Alexander KrauseAlexander Krause, Jan KlemmerJan Klemmer, Nicolas Huaman, Dominik Wermke, Yasemin Acar, Sascha FahlSascha Fahl
Version control systems for source code, such as Git, are key tools in modern software development. Many developers use services like GitHub or GitLab for collaborative software development. Many software projects include code secrets such as API keys or passwords that need to be managed securely. Previous research and blog posts found that developers struggle with secure code secret management and accidentally leaked code secrets to public Git repositories. Leaking code secrets to the public can have disastrous consequences, such as abusing services and systems or making sensitive user data available to attackers. In a mixed-methods study, we surveyed 109 developers with version control system experience. Additionally, we conducted 14 in-depth semi-structured interviews with developers who experienced secret leakage in the past. 30.3% of our participants encountered code secret leaks in the past. Most of them face several challenges with secret leakage prevention and remediation. Based on our findings, we discuss challenges, such as estimating the risks of leaked secrets, and the needs of developers in remediating and preventing code secret leaks, such as low adoption requirements. We conclude with recommendations for developers and source code platform providers to reduce the risk of secret leakage.


Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

Usenix Security Symposium (USENIX-Security)


USENIX Security Symposium

Page Range



@conference{Krause:Klemmer:Huaman:Wermke:Acar:Fahl:2023, title = "Pushed by Accident: A Mixed-Methods Study on Strategies of Handling Secret Information in Source Code Repositories.", author = "Krause, Alexander" AND "Klemmer, Jan H" AND "Huaman, Nicolas" AND "Wermke, Dominik" AND "Acar, Yasemin" AND "Fahl, Sascha", year = 2023, month = 8, journal = "USENIX Security Symposium", pages = "2527--2544" }

Usage metrics


    No categories selected



    Ref. manager