It’s easy to recognize the importance of effective secrets management, which helps prevent sensitive data like passwords and access tokens from leaking out of development pipelines.
The hard part for many businesses is actually building an organizational culture that prioritizes secure management of secrets and embedding it within development and DevSecOps practices. Doing so requires an understanding of the human component of secrets management – factors like why developers sometimes take risks when working with secrets, and which practices and tools can help them to make more secure choices.
To that end, here’s a look at how to establish a culture that prioritizes the secure management of secrets.
What is secure secrets management?
Secrets are sensitive access credentials, like passwords, access tokens, and API keys. Secure secrets management is the practice of storing and sharing such data in a secure way.
Securing secrets is important because insecure management of secrets can expose sensitive information to third parties. For instance, if a developer hardcodes access credentials for a database into a configuration file, anyone who is able to view the configuration file will also be able to log into the database. Likewise, secrets that are hosted in a non-encrypted key-value store (such as Etcd, which stores secrets on Kubernetes and whose data is not encrypted by default) are accessible to anyone who is able to read the store resource.
Maintaining a high standard of secrets hygiene – meaning a commitment to managing secrets securely by default – helps organizations to mitigate risks like these.
Prevent Secrets Leaks Before They Happen
Hardcoded credentials and mismanaged secrets can silently expose your entire pipeline. Learn how to proactively detect and secure secrets before they go live.
Integrating secure secrets management into organizational culture
Secure secrets management practices hinge, in part, on the deployment of tools and processes (like secrets scanning and secret detection solutions) that can help teams identify and rectify situations where secrets are not properly managed.
But even better than discovering insecure secrets is preventing developers from making secrets security mistakes in the first place. When you train your teams to manage secrets securely by default, you proactively minimize the risk of secrets exposure – as opposed to managing it reactively by focusing only on detecting and responding to secrets security risks.
This is why organizations should prioritize the creation of a culture of secure secrets management. When secrets security becomes a cultural tenet within a company, secrets management best practices become embedded into the organization’s processes by default. The result is less time finding and fixing security management risks – and fewer disruptions to software development workflows due to insecure secrets.
The challenges of secrets hygiene as culture
Of course, actually creating an organizational culture that prioritizes secure secrets management can be challenging. By default, developers and IT admins have a tendency to be prone to secrets management mistakes due to factors like the following:
- Convenience: Practices like hardcoding secrets into source code or configuration files are often faster and simpler than a more secure technique, such as using a secrets manager or secrets vault.
- Sharing: Sometimes, teams may feel that hardcoded secrets are easier to share because they’re accessible to anyone who can view an application’s code. They may not recognize the security risks that this practice poses, or they may believe that the risk is outweighed by the facilitation of collaboration.
- Belief that internal secrets won’t leak: It’s easy to assume that hardcoding secrets is acceptable so long as the files or systems in question are only used internally (as in the case of dev/test environments, for example) – even though in reality, there is always a chance that third parties could gain access to internal systems, such as code repositories.
- Lack of awareness of alternatives: In some cases, employees may simply be unaware that alternative solutions exist for managing secrets securely. An IT admin who is not accustomed to writing source code may not realize that hardcoding secrets into source files is not the only way to configure access, for example.
Practical steps for creating a secure secrets management culture
To mitigate risks like these, businesses should adopt deliberate strategies aimed at making DevSecOps secrets management a key cultural priority for anyone who helps manage secrets. The following practices can help.
Train and educate
For starters, organizations should invest in training and educating employees in secure secrets management practices.
Training and education increase awareness of the pitfalls of practices that may seem insignificant, like hardcoding secrets into files intended only for internal use within a company, but that could lead to serious security incidents. They also provide opportunities to learn about secure secrets management tools and practices that can help to keep sensitive data private while still ensuring smooth workflows and enabling a positive developer experience.
Assess secrets management awareness during hiring
When hiring developers or other technical staff, asking questions about secrets management and its implications can help to highlight candidates with an inherent interest in keeping secrets secure.
This is not to say that businesses should only hire developers who are secrets management gurus; not everyone is an expert in secrets management. Still, raising the topic during the hiring process helps send a message that secrets hygiene is a priority for the organization.
Define secrets management policies and procedures
Many organizations maintain security policy documents, which define the high-level security goals they commit to meet. They also write security procedures, which explain the processes and tools they use to enforce security policies.
As a best practice, businesses should consider including rules about secrets management in these policy documents. Doing so is another way to underscore how committed the company is to protecting software secrets.
Audit secrets management
To determine the extent to which teams actually adhere to secrets management policies, businesses can deploy tools such as automated secret scanning software. Automated scanners find hardcoded secrets that exist in various locations and generate alerts about them.
The purpose of automated secrets detection isn’t simply to find and punish secrets management infractions. Its primary value lies in providing visibility into secrets management trends, such as which types of files or systems are most associated with insecure secrets management and how secrets management outcomes change over time. These insights can help the organization identify opportunities for improving its secrets hygiene.
Provide easy access to secure secrets management solutions
The easier it is for developers to access the tools they need to manage secrets securely, the more likely they are to adhere to best practices.
To that end, organizations can consider practices like deploying secrets vaults, which can securely store secrets, for use by anyone in the company as part of a platform engineering initiative. They can also take steps such as enabling encryption by default for resources that may host secrets in plain text, eliminating the need to have to remember to encrypt secrets manually.
Securing secrets with Checkmarx One
When it comes to finding hardcoded secrets, Checkmarx One has you covered. We help you automatically detect secrets that have the potential to place your organization’s applications and infrastructure at risk.
Learn more by requesting a demo.
Stop Leaks Before They Start
Get full visibility into hardcoded secrets with automated detection built for modern DevSecOps.