At the heart of every application are secrets. Credentials that enable human-to-machine and machine-to-machine communication. Machine identities exceed human identities by a 45 to 1 ratio and represent most of the secrets we need to worry about. In accordance with CyberArk’s latest research, 93% of organizations had two or more identity-related breaches in the past year. It is clear that we need to address this growing problem. In addition, it is clear that many organizations agree to use plaintext credentials for these identities in private repositories, assuming that they will remain private. However, poor private code hygiene leads to public leaks, as we see all too often in the news. Given the scale of the problem, what can we do?
We really need changes in our processes, especially around creating, storing and working with machine identities. Fortunately, there is a clear path forward that integrates existing secret management solutions and tools to detect and remediate secrets while meeting developers where they are.
Creating an end-to-end security secrets game plan
When we think about solving the machine identity problem, also known as secret sharing, we can state the problem in a few sentences.
“In our code, configurations, CI pipelines, project management systems, and other sources, we have an unknown number of true long-lived open-text secrets that we cannot account for without an agreed rotation strategy. Meanwhile, developers continue to work with secrets in plaintext, as it’s a reliable, if problematic, way to make an app work.”
By thinking through this working definition, we can create a multi-step plan to solve each problem.
- Secret Discovery – Searching the code and systems involved in the software development lifecycle to identify existing identifiers in the open, gathering as much information about each as possible.
- Secret Management – Accounting for all known secrets through a centralized storage platform.
- Developer Workflows – Adjust processes and tools to make it easier to properly create, store, and safely invoke secrets.
- Secret Scanning – continuous monitoring of new secrets that are added as plain text.
- Automatic rotation – Regular replacement of valid secrets reduces their potential exploitation by attackers.
You can take this journey one step at a time, treating it as a phased deployment. Before you know it, you’ll be one step closer to eliminating the sharing of secrets and protecting all of your machine’s identity.
Finding your secrets
The first challenge every team faces when trying to deal with secrets is determining what secrets they have. Manually searching for unknown secrets will quickly become overwhelming for any team, but luckily there are secret scanning tools such as GitGuardian, which can automate this process and make important details clear. From a stable platform, you have to provide a communication path to work with developers for fixes.
Implementation of a centralized secret store
Central to any good secret management strategy is managing how secrets are stored and used. Enterprise repositories transparently allow all known secrets to be accounted for by encrypting them at rest and in transit. A good storage solution, including Be enchanted with Cyberark and Hashicorp Vault Enterprise. If all your infrastructure is from one vendor, e.g AWS or GCP are very good options as well as
Developer workflow security
Secret management has historically been left in the hands of developers, leading to a wide variety of solutions such as `.env` files and, unfortunately, hard-coding secrets into the codebase. Using a centralized storage solution gives developers a consistent way to securely invoke credentials from their applications across all environments. If you can offer a standardized approach that is as easy to implement as what they are doing now, you will see that many developers will jump at the chance to ensure that their deployments are not blocked by this security issue.
You’ll also want to consider shifting to the left. Command-line tools like ggshield allow developers to add automatic Git hooks to lookup credentials in plaintext before any commit is made. Disconnecting the secret from achieving a commit means no incidents to deal with later and fixing the problem at the least expensive point in the software development lifecycle.
Secret scanning on every shared interaction
You also need a way to accommodate the reality that accidents sometimes happen. Constant monitoring is needed to keep an eye out for any new issues that arise due to mistakes by existing developers or when new teams or subcontractors are hired who simply don’t know your processes yet. Just like when secrets are first discovered, using a platform that gathers information into a consistent incident will help you respond quickly to these new challenges. GitGuardian, for example, integrates at the code repository level to capture new credentials in plaintext in seconds, automatically with every click or comment.
Short-term credentials should be the target of automatic rotation
If an attacker finds the real secret, it makes their job a lot easier as they can simply unlock any door they come across. If the same attacker finds an invalid secret, there is nothing he can do about it. With centralized storage, you can set up automatic rotation plans. Most modern platforms and services have a way to generate new credentials using an API call and a way to invalidate existing secrets. With a small script, following one of the many guides issued by platforms such as AWS or CyberArk, it is possible to automate the secure replacement of any credentials on a regular, even daily, schedule.
End-to-end security of secrets requires a plan
The best time to address end-to-end secret security concerns is now. If you don’t already have a game plan, now is the best time to start those conversations. Start with questions like, “What secrets do we have?” or “Do you have storage?” Ultimately, we need to provide developers with workflows and fences that allow them to focus on the development process.
Ensuring that new secrets are discovered and promptly addressed is an ongoing process. it will take effort, including raising awareness and adopting the right processes and technologies, but any company can gain better control over machine identities and secrets, end-to-end, across the organization.