DevSecOps : Secrets Management and Secret Security Tools

DevSecOps : Secrets Management and Secret Security Tools

Introduction

Everyone has secrets, and so is so in the development team of apps. Secrets can include usernames, passwords for an account and the API tokens. Proper control of credentials and secrets automation processes minimizes the possibility that secrets will escape into the wild and be deliberately or accidentally used in the code. As the saying goes, secrets are things that exist, but few need to learn about them. All the permissions, keys, configuration files or passwords you need to execute your program across the environments, third-party APIs, Production/LIVE infrastructure and tools are included in your delivery process. The Developer always kept their application’s secret in the familiar places as below;

1. Source Code / Source Code Management (SCM)

The Dev check-in or commit all the application’s secret like admin password, database credential in their code and often time get leaked on the internet.

2. Configuration file or ENV variables.

A secret can be stored in an environment file usually called ENV file. It’s same to #1 it been check-in to SCM and it can be exposed to the world.

3. Configuration Management

Usually, we have this approach when we are using an automation tool process like Ansible, Vault, Chef, Salt, etc. We stored in this tool for easy access between endpoints/servers.

4. Secret Management Platforms

This approach us most secure place to store your secret/credential, we can access to dedicated whenever our CI/CD pipeline require or running. We can use a system like Azure KeyVault or AWS KMS for our CI/CD pipeline.

What the benefit of Secret Management?

  1. Decrease the possibility that passwords go through source code commitments and get forced through repositories, especially public repositories like Github and GitLab.
  2. The number of people who have been limited need credentials expertise to lessen the secrets exposure area. This number will reach zero with an automated credentials management procedure.
  3. Reduce the useful life of a secret by using short expiry periods and Time-To-Live (TTL) values. Automation allows hidden reissue and rotation of effective low-effort.

The Best Practise of Secret Management?

  1. Secret Discovery. Identify all your organization’s application secret/credential and make sure you record and put in Secret Management. We are continuously adding new secret/credential when needed.
  2. Reduce and Eliminate Hardcoded Credential. In your CI/CD pipeline eliminate all hardcoded credential and bring to Secret Management system. You can be accessing it when you needed it.
  3. Enforce Password Security Policy. The Security Engineer or DevSecOps Engineer can enforce a proper security policy which can educate the team to implement an appropriate secret/credential in their DevOps tools.
  4. Log and record all activity. A secret can be leaked without a trace is there no audit trails or recorded log, hence any server/DevOps access need to have activity log. Therefore, all anomalies can be trace and avoid.
  5. Monitor for Security Leak.  Using Monitor Tool can trigger the abnormal of the system/application which sometimes we can monitor on specific API endpoint which geolocation that not have called then we can do proactive work once it triggered.
  6. Implement DevSecOps. Entering the cultures of DevSecOps ensures that everyone is responsible for the protection of DevOps, thus assuring transparency and team cohesion. This approach will, in effect, ensure that best practices are in place for confidential management and that code does not contain embedded passwords.

Conclusion

The right secrecy management policies will make it easier to handle, transfer and protect secrets and other sensitive data, backed by efficient processes and resources. You will not only help DevOps safety, but also increase company safety by implementing the best practices in Secrets Management.

Next you should read

Tutorial -> How to implement Git-Secret Scanner in CI/CD Pipeline.

Dynamic Analysis Security Test (DAST).


Share Tweet Send
0 Comments
Loading...