Halo Security Now Detects API Keys and Secrets Exposed in JavaScript

SAN FRANCISCO--(BUSINESS WIRE)--Web properties are increasingly relying on third-party JavaScript to increase functionality, but this can also bring inherent risks. A report from Source Defense, which scanned the 4,300 highest-trafficked websites globally, found an average of four third-party scripts per page. Often, these tags are added without proper security controls or oversight from security teams, giving attackers an easy way to find exposed API keys and breach sites.

Halo Security, a leading attack surface management platform, has unveiled a new feature that helps security teams detect unintended exposures. Its agentless solution identifies secrets in scripts used across the attack surface, no matter how they’ve been added, so security teams know what is dangerous and what isn’t.

These tags are often added by developers and marketers via tag management systems, without understanding the risk. Research from Invicti suggests 6.3% of top sites on the internet are exposing keys and secrets.

Halo Security’s new feature has already detected and alerted customers to more than 700 instances of revealed secrets across websites it scans. It has found potentially devastating exposures like Amazon keys that unlock a site’s entire infrastructure, and proprietary back doors to third-party functionality like image carousels, where an attacker could upload or delete pictures and cause reputational harm.

“Our pentesters have been flagging this issue more and more recently and it’s a problem most clients don’t even know about. With this new feature, we bring awareness continuously and automatically,” said Nick Merritt, Vice President of Security Products at Halo Security. “Our new JavaScript secret detections are the perfect compliment to existing script monitoring and analysis solutions.”

Halo Security customers now have access to a new report highlighting any exposed secrets in their JavaScript at no additional cost and with no additional configuration required. For companies looking to improve the security of their external attack surface, Halo Security offers a seven-day free trial to discover any existing keys exposed.

Learn more about how Halo’s new capability helps security teams safely manage third-party JavaScript.

About Halo Security

Halo Security is a complete attack surface management platform, offering asset discovery, risk and vulnerability assessment, and penetration testing services in a unified, easy-to-use dashboard. Founded by experienced and trusted penetration testers, scanning leaders, and reformed hackers, Halo Security brings the attacker’s perspective to the modern organization. Halo Security’s leadership team has held key roles at McAfee, Intel, Kenna Security, OneLogin, and WhiteHat Security. Learn more at halosecurity.com.