You Don't Know Where Your Secrets Are

2023-01-31 12:46

Do you know where your secrets are? If not, I can tell you: you are not alone.

The fundamental point addressed by this model is that secrets management goes well beyond how the organization stores and distributes secrets.

At the intermediate level, secrets scanning is more systematic, and secrets are cautiously shared across the DevOps lifecycle.

Here are some questions that this model should raise in order to help you evaluate your maturity: how frequently are your production secrets rotated? How easy is it to rotate secrets? How are secrets distributed at the development, integration, and production phase? What measures are put in place to prevent the unsafe dissemination of credentials on local machines? Do CI/CD pipelines' credentials adhere to the least privileges principle? What are the procedures in place for when secrets are leaked?

The secrets were used for logging in to Uber's privileged access management platform, where many more plaintext credentials were stored throughout files and scripts.

Knowing where your secrets are, not just in theory but in practice, and how they are used along the software development chain is crucial for security.

News URL

https://thehackernews.com/2023/01/you-dont-know-where-your-secrets-are.html