Secrets lie at the core of each application. They are the passkeys enabling communication between humans, and between machines. Machine identities outnumber human identities by a factor of 45-to-1, constituting the majority of the secrets that demand our attention. Recent research by CyberArk reveals that 93% of organizations encountered multiple breaches related to identities within the last year. It is evident that this escalating issue needs to be confronted. Furthermore, organizations seem content with utilizing plain credentials for these machine identities in private repositories, assuming they will remain secluded. Nevertheless, poor procedural practices in private code often result in public leaks, a scenario frequently witnessed in the media. Given the scale of this challenge, what actions should be taken?
What we truly require is a transformation in our workflows, specifically concerning the generation, retention, and utilization of machine identities. Thankfully, a clear route exists that amalgamates existing solutions for secrets management with tools for secret identification and rectification, all the while aligning with the working methodologies of developers.
Drafting a game plan for comprehensive secrets security
Addressing the issue of machine identity sprawl, or secrets proliferation, can be encapsulated in a couple of succinct phrases.
“We are faced with an undisclosed count of valid long-standing plaintext secrets dispersed across our codebase, configurations, CI processes, project management platforms, and assorted origins, lacking a coherent strategy for their rotation. Meanwhile, developers persist in handling secrets in plain text as it is a dependable albeit flawed method to ensure the functionality of the application.“
Upon scrutiny of this operational definition, a stepwise strategy can be devised to tackle each aspect.
- Identification of Secrets – Scrutinize the codebase and systems implicated in the software development life cycle to uncover prevailing plaintext credentials, accruing comprehensive details for each.
- Management of Secrets – Documenting all identified secrets through a centralized secure vault platform.
- Developer Procedures – Refining processes and tools to simplify the proper creation, retention, and retrieval of secrets in a secure manner.
- Continuous Scanning for Secrets – Perpetual monitoring to detect any recently added plaintext secrets.
- Automated Rotation – Periodically replacing valid secrets curtails their vulnerability to exploitation by malicious entities.
You can embark on this journey progressively, treating it as a phased implementation. Before long, you will be significantly closer to eradicating secrets sprawl and fortifying the security of all your machine identities.
Unveiling your secrets
The primary hurdle every team faces while attempting to manage secret sprawl is discerning the nature of the secrets in their possession. Manually sifting through an assortment of unknown secrets would overwhelm any team swiftly. Fortunately, secrets scanning tools like GitGuardian can automate this process, furnishing insights into crucial details. From a robust platform, establish a communication avenue to collaborate with developers for remedial actions.
Implementing a centralized secrets repository
Essential to a robust secrets management strategy is overseeing how secrets are archived and accessed. Enterprise vaults allow for meticulous tracking of all known secrets, encrypting them during storage and transmission. A reliable vault solution, such as Conjure by Cyberark and Hashicorp Vault Enterprise, prove invaluable. In case your infrastructure predominantly derives from a single provider like AWS or GCP, these options stand out.
Safeguarding the developer workflow
Historically, secrets management has been entrusted to developers to navigate, leading to a variety of solutions such as `.env` files and regrettably, embedding secrets into the codebase. Leveraging a centralized vault approach equips developers with a consistent method to securely access credentials from their applications across all environments. Offering a standardized approach that is as straightforward to implement as their current practices will entice many developers to ensure their deployments are not hindered by security concerns.
Furthermore, contemplate embracing a proactive stance. Command-line utilities like ggshield allow developers to integrate automatic Git hooks for scanning plaintext credentials prior to any commits. Intercepting secrets before they reach a commit obviates subsequent incidents and remedies the situation at the most cost-effective juncture in the software development life cycle.
Secret scanning at each collaborative juncture
Contemplate the reality that accidents are part of life. Continuing vigilance is essential to identify any newly arising issues stemming from existing team members’ inadvertent errors or the onboarding of new teams or subcontractors unaware of established processes. Much like the initial secrets detection, deploying a platform that compiles this information into a coherent incident will expedite responses to emergent problems. A tool like GitGuardian integrates at the code repository level to identify new plaintext credentials within seconds, automatically upon each push or comment.
Short-lived credentials as the aim for automated rotation
If an intruder chances upon a valid secret, their task is considerably simplified, allowing them to access any restricted areas effortlessly. Conversely, if the intruder seizes an obsolete secret, it proves ineffective. With a centralized vault infrastructure, you can draft plans for automatic rotation. Nearly all contemporary platforms and services offer mechanisms to generate fresh credentials via an API call and invalidate existing secrets. Employing simple scripting, drawing on the numerous guidelines issued by platforms like AWS or CyberArk, automation for the secure substitution of credentials on a consistent, perhaps daily, basis becomes feasible.
Comprehensive secrets security necessitates a methodical approach
The optimal time to grapple with the challenges surrounding complete secrets security is now. If you lack a predefined strategy, commence discussions at the earliest. Initiate inquiries like: “What secrets are within our purview?” or “Do we possess a vault?” Ultimately, empower developers with workflows and protective measures that permit them to concentrate on their development endeavors.
Safeguarding against the unexpected revelation of new secrets and promptly resolving these revelations is an ongoing endeavor. It demands commitment, including heightened awareness and the adoption of suitable procedures and technologies, enabling any organization to gain a greater command over machine identities and secrets throughout the organization.
About Author
