You May Also Like
What Is Quishing?
QR code phishing, most commonly referred to as “quishing,” is a type of phishing attack that tricks users into scanning QR codes to steal personal information such as login credentials or credit card numbers. When a...
Published on
January 26, 2023
Written by Teresa Rothaar
Proper IT secrets management is essential to protecting your organization from cyber threats, particularly in DevOps environments, where common CI/CD pipeline tools such as Jenkins, Ansible, Github Actions, and Azure DevOps use secrets to access databases, SSH servers, HTTPs services and other highly sensitive systems.
Despite the critical importance of secrets management, Keeper’s 2022 Cybersecurity Census Report found nearly one-third of organizations (32%) lack a dedicated solution to protect their secrets. Additionally, an astounding 84% have concerns regarding risks associated with hardcoded credentials in source code – and 25% don’t have software in place to remove them.
What is DevSecOps?
Before defining DevSecOps, one must understand DevOps. DevOps is a software development philosophy that seeks to break down silos between software development and IT operations (hence the name “DevOps”), with the goal of delivering quality software more quickly. DevOps is complementary to agile software development and leans heavily on automating processes throughout the software development lifecycle (SDLC).
However, DevOps isn’t just about development and operations; security needs a prominent seat at the table. Hence, the introduction of DevSecOps, which seeks to integrate security initiatives at every level of the SDLC to quickly deliver applications that are not only robust but also secure.
What is Secrets Management?
Secrets management refers to the tools and methods used to manage authentication credentials that access highly privileged systems and sensitive information.
In the grand scheme of things, secrets are really just passwords. However, unlike other passwords, secrets are used by applications and machines, not humans. Common types of secrets include:
- Non-human login credentials, such as for service accounts
- Database and other system-to-system passwords
- Cryptographic and encryption keys
- Cloud service access credentials
- Application Programming Interface (API) keys
- Access tokens
- SSH (Secure Shell) keys
In addition to protecting IT secrets from cyber threat actors, the benefits of secrets management solutions include providing DevSecOps teams visibility into their data environment, helping them prevent secrets sprawl, and making it easier to share secrets securely.
Secrets Management Challenges for DevSecOps
DevSecOps teams face significant secrets management risks and challenges. Let’s examine the most common issues.
1. Secrets Sprawl
Secrets sprawl is when an organization stores secrets throughout the network, without using a solution to organize, manage and secure them. This problem is exacerbated by the widespread adoption of SaaS apps and cloud-native development models, which have dramatically increased the number of secrets organizations have, while decentralizing their storage. In this type of environment, DevOps teams lack the visibility and uniform management policies they need to get their secrets under control, which expands the organization’s attack surface and increases the risk of a data breach.
2. Hardcoded and Embedded Credentials
Hardcoded/embedded credentials are a major contributor to both secrets sprawl and data breaches. Many smart devices, other hardware and even software platforms are shipped with hardcoded, default credentials. These credentials are supposed to be changed before the product is deployed, but if DevSecOps teams lack visibility into their data environment, that doesn’t always happen. When devices and apps are deployed without changing the default credentials, cybercriminals can easily access them using scanning tools in conjunction with the device or app’s owner’s manual. These manuals are readily available online and contain the default credentials.
Additionally, developers will sometimes hardcode secrets into source code. This is a major violation of application security best practices, but without visibility, DevSecOps teams cannot effectively prevent it.
3. Multiple and Disparate Tool Sets
Many tools used in DevSecOps environments include built-in secrets managers, which enable teams to remove hardcoded/embedded credentials. However, these secret management tools are proprietary and work only with the solutions they’re bundled with, which doesn’t solve the broader secrets sprawl issue.
4. Poor Password Security Practices
As mentioned earlier in this blog, secrets are nothing more than another type of password, which means they’re subject to the same security problems as other passwords. Sometimes, secrets are stored in plain text, leaving access to secrets unprotected. Team members may reuse secrets across applications or choose weak secrets, such as keyboard patterns or dictionary words. Secrets may not be changed or revoked when employees who have access to them leave the company. All of these problems significantly increase the chances of compromise, which can lead to a data breach.
What to Look for in a DevSecOps Secrets Management Solution
The best way to combat secrets sprawl and prevent data breaches is to use a dedicated secrets management solution that includes a secure, centralized vault in which to store secrets.
When evaluating DevSecOps secrets management solutions, look for the following features:
- A flexible deployment model — Today’s data environments are highly complex, and each one is unique. Make sure your secrets manager works throughout your environment, whether that’s on-premises, in the cloud, or in a multi-cloud or hybrid setup.
- AES encryption — To effectively protect secrets, a secrets manager must encrypt data both in transit and at rest, but that’s not all. Make sure the solution you choose uses 256-bit AES encryption, the gold standard used by banks and government agencies.
- Integration with other applications and services — Your organization’s secrets management solution should seamlessly integrate with popular CI/CD systems and all of the other tools used in your developer environments.
How Keeper Protects Your Company’s Secrets
Keeper Secrets Manager is a cloud-based, zero-trust, zero-knowledge solution that provides DevSecOps teams with a centralized vault optimized for DevOps environments. Keeper Secrets Manager enables all servers, CI/CD pipelines, developer environments and source code to pull secrets from a secure API endpoint. Each secret is encrypted with a 256-bit AES key, which is encrypted by another AES-256 application key.
A supplementary solution of the Keeper Enterprise Password Management (EPM) platform, Keeper Secrets Manager is embedded into your web vault, admin console and desktop app. It also offers further integrations into Keeper’s Advanced Reporting and Alerts module, BreachWatch dark web monitoring tool, SIEM integration, webhooks and compliance solutions.
Request a demo of Keeper Secrets Manager to see how your company can eliminate secrets sprawl and secure your environment.
