Skip to main content

The key to successful secrets management is to make the best way the easiest way

Most organizations understand the value of secrets management — which is the practice of securely storing development credentials like API keys, certificates, and SSH keys — but not all organizations are following secure secrets management practices.

According to the secrets management provider Bitwarden’s 2024 developer survey, which polled 600 developers across different industries, 86% of companies use a secrets management solution, leaving 14% who still don’t. 

A 2023 Sophos report found that compromised credentials are the root cause of 50% of the attacks its incident response team studied.  And according to GitGuardian’s 2024 State of Secrets Sprawl Report, 12.7 million secrets were detected in public GitHub commits in 2023, which was a 28% increase from the previous year. 

“Of course, that’s a massive issue for any organization who is trying to keep customer data secure. So it’s incredibly important for any developer to adhere to proper secrets management practices,” said Max Power, product lead for Bitwarden Secrets Manager.

RELATED CONTENT: Implement a good secrets management practice to reduce your security risk

Organizations know that they need to do better, but there are many things that tend to get left behind by developers when they’re under pressure to deliver faster, and secrets management is unfortunately one of them.

Nic Manoogian, engineering manager at secrets management platform Doppler, believes that in order to successfully implement good secrets management practices, teams should make it work with their existing workflows. 

“Evaluate your options and really try to make sure that whatever you’re doing fits into a workflow that’s sustainable for you, that’s probably my biggest advice,” said Manoogian.

Brian Vallelunga, founder and CEO of Doppler, agreed, saying “if you don’t tackle the building it into your workflow part, then it’s just not going to get used and then there’s no value.”

He explained that there are many ways to store secrets, from the least secure method of just storing them in text files to the most secure option of using a platform designed specifically for securely keeping the information. 

Using a secrets management system is beneficial, not just because it is more secure, but it avoids developers having to manage a patchwork of files or different systems where secrets are kept, which actually introduces more friction into development teams.

“The art and practice of secrets management is keeping those secrets secure, while also making them accessible to developers in the moments they need them with the right access controls and auditing in place,” said Vallelunga.

Vallelunga recommends making sure that your secrets management practice can be synced across teams and parts of the software development life cycle, otherwise it can lead to more issues. 

For instance, imagine a scenario where one developer adds a piece of code that requires a secret, and then other developers are working on that code too, but don’t have access to that secret. That can lead to broken builds and lost development time as developers work to track down the proper secret.

Power says “the goal is to make it as easy as possible to collaborate with these secrets and to share secrets in a secure manner across human users, but also across machine use and between services, between CD pipelines, different environments, and so on.”

According to the respondents of Bitwarden’s Developer Survey, the top priority development teams have when buying a secrets management solution is ease of integration with other tools. Other top factors include company security posture, features, the vendor’s reputation, and scalability. 

How secrets management can be a tool in building strong engineering cultures

SEO tool company AccuRanker uses Bitwarden to manage its secrets, and the company has found that having good tooling around secrets management has been important in building its engineering culture. 

Its chief technical officer Henrik Refslund says that if there isn’t a process in place or good tools to manage things, developers who are pressed for time will often resort to the easiest option available. “Ideally, in a perfect world, you want to be secure by default. You want secure to be the easiest choice for developers,” he said. 

He said that at AccuRanker, secrets management has become a part of efforts to improve the developer experience. Recognizing that we’re in a market where good developers are hard to come by and retaining developers can also be a challenge, maintaining good developer experience is a big goal for the company. 

This requires both policies and tooling that go hand in hand and support each other. “With proper tooling, we were able to set these policies, we were able to create rules and best practices …  if you deal with this right, if you create the proper processes and guidelines for this, it helps to build a sound engineering culture around security.”

 

The post The key to successful secrets management is to make the best way the easiest way appeared first on SD Times.



from SD Times https://ift.tt/fA9lO5k

Comments

Popular posts from this blog

Difference between Web Designer and Web Developer Neeraj Mishra The Crazy Programmer

Have you ever wondered about the distinctions between web developers’ and web designers’ duties and obligations? You’re not alone! Many people have trouble distinguishing between these two. Although they collaborate to publish new websites on the internet, web developers and web designers play very different roles. To put these job possibilities into perspective, consider the construction of a house. To create a vision for the house, including the visual components, the space planning and layout, the materials, and the overall appearance and sense of the space, you need an architect. That said, to translate an idea into a building, you need construction professionals to take those architectural drawings and put them into practice. Image Source In a similar vein, web development and design work together to create websites. Let’s examine the major responsibilities and distinctions between web developers and web designers. Let’s get going, shall we? What Does a Web Designer Do?

A guide to data integration tools

CData Software is a leader in data access and connectivity solutions. It specializes in the development of data drivers and data access technologies for real-time access to online or on-premise applications, databases and web APIs. The company is focused on bringing data connectivity capabilities natively into tools organizations already use. It also features ETL/ELT solutions, enterprise connectors, and data visualization. Matillion ’s data transformation software empowers customers to extract data from a wide number of sources, load it into their chosen cloud data warehouse (CDW) and transform that data from its siloed source state, into analytics-ready insights – prepared for advanced analytics, machine learning, and artificial intelligence use cases. Only Matillion is purpose-built for Snowflake, Amazon Redshift, Google BigQuery, and Microsoft Azure, enabling businesses to achieve new levels of simplicity, speed, scale, and savings. Trusted by companies of all sizes to meet

2022: The year of hybrid work

Remote work was once considered a luxury to many, but in 2020, it became a necessity for a large portion of the workforce, as the scary and unknown COVID-19 virus sickened and even took the lives of so many people around the world.  Some workers were able to thrive in a remote setting, while others felt isolated and struggled to keep up a balance between their work and home lives. Last year saw the availability of life-saving vaccines, so companies were able to start having the conversation about what to do next. Should they keep everyone remote? Should they go back to working in the office full time? Or should they do something in between? Enter hybrid work, which offers a mix of the two. A Fall 2021 study conducted by Google revealed that over 75% of survey respondents expect hybrid work to become a standard practice within their organization within the next three years.  Thus, two years after the world abruptly shifted to widespread adoption of remote work, we are declaring 20