At the heart of every application are secrets: credentials that enable human-to-machine and machine-to-machine communication. Machine identities are 45 times more prevalent than human identities, making up the majority of the secrets we have to worry about. A recent CyberArk survey found that 93% of organizations experienced two or more identity-related breaches in the past year. It is clear that we need to address this growing problem. Furthermore, many organizations are OK with using plaintext credentials for these identities in private repositories because they believe these identities will remain private. However, as we see too often in the news, poor private code hygiene leads to public leaks. Given the scope of this problem, what can we do?
What we really need is a change in processes, especially those around creating, storing, and manipulating machine identities. Fortunately, there is a clear path forward that combines existing secrets management solutions with secrets discovery and remediation tools to meet the needs of developers today.
Creating an end-to-end covert security game plan
When considering fixing the machine identity problem (also known as secret sprawl), the problem can be described in a few sentences.
“There are an unknown number of valid, long-lived plaintext secrets scattered throughout code, configuration, CI pipelines, project management systems, and other sources with no understanding of how many and no consistent rotation strategy, while developers continue to work with plaintext secrets because, while it is a reliable way to make their applications work, it is problematic.”
By considering this practical definition, you can develop a step-by-step plan to address each of your concerns.
- Secrets Discovery – Search code and systems involved in the software development lifecycle to identify existing plaintext credentials and gather as much information as possible about each.
- Secrets Management – Manage all known secrets through a centralized vault platform.
- Developer workflow – Align your processes and tools to make it easy to create, store, and recall secrets securely and properly.
- Secrets Scanning – Continually monitors for new secrets being added in plaintext.
- Automatic rotation – Periodically replacing valid secrets reduces the chance of exploitation by malicious actors.
Treat this as a gradual rollout, taking it one step at a time, and before you know it, you’ll be that much closer to eliminating the proliferation of secrets and securing all machine identities.
Find your secret
The first problem every team faces when trying to deal with secret proliferation is determining what secrets they have. The manual search effort to track down unknown secrets can quickly become unwieldy for any team, but fortunately there are secrets scanning tools, such as GitGuardian, that can automate this process and provide insight into important details. From a stable platform, you should provide a communication path to collaborate with developers on remediation.
Implementing a centralized secret repository
Central to any good secrets management strategy is managing how secrets are stored and used. An enterprise vault allows you to have transparent visibility into all known secrets and encrypt them at rest and in transit. Good vault solutions include Cyberark’s Conjure and Hashicorp Vault Enterprise. It’s also a great option if all your infrastructure is from the same provider, such as AWS or GCP.
Securing developer workflows
Historically, the management of secrets has been left in the hands of developers, resulting in a variety of solutions such as `.env` files or, unfortunately, hard-coding secrets into the codebase. Leveraging a centralized vault solution would give developers a consistent way to securely call credentials from their applications across all environments. If we could provide a standardized approach that was as easy to implement as they do today, many developers would jump at the chance to ensure their deployments are not blocked due to security concerns.
You should also consider shifting left. Command line tools like ggshield allow developers to add automated Git hooks that scan for plaintext credentials before commits are made. By preventing secrets from reaching commits, you can avoid incidents to deal with later and resolve issues at the least costly point in the software development lifecycle.
Secret scanning of every shared interaction
You also need a way to deal with the reality that sometimes accidents happen. Continuous monitoring is needed to watch for new issues as existing developers make mistakes or as new teams or subcontractors are hired who don’t yet know the process. Just like with initial secrets detection, using a platform that organizes information into coherent incidents allows you to respond to these new issues quickly. For example, GitGuardian integrates at the code repository level to automatically catch new plaintext credentials with every push or comment within seconds.
Short-lived credentials should be the target for automatic rotation
If an attacker finds a valid secret, their job is much easier since they only need to unlock any door they come across. If the same attacker finds an invalid secret, there is little they can do with it. If you have a centralized safe, you can put an automatic rotation plan in place. Most modern platforms and services have a way to generate new credentials and invalidate existing secrets through an API call. With a bit of scripting and following one of the many guides published by platforms like AWS and CyberArk, you can automate the secure replacement of credentials on a regular basis (even daily).
End-to-end covert security requires planning
The best time to address the issues around end-to-end secrets security is right now. If you don’t have a game plan in place yet, today is the best time to start the conversation. Start by asking questions like “What secrets do we have” and “Do we have vaults?” Ultimately, you need to empower your developers with workflows and guardrails so they can focus on their development flow.
It’s an ongoing process of constantly monitoring for new secrets to be discovered and immediately addressed. It takes effort, including raising awareness and adopting the right processes and technologies, but any business can achieve proper end-to-end management of machine identities and secrets across the organization.
