Eran Orzel
Dec 21 · 6 min read
A recent Forrester report found that about 63% of IT leaders claim developers lack the understanding and ability to implement proper security controls. Additionally, the same report says that 57% of organizations suffered security incidents related to exposed secrets in DevOps.
Modern applications need to communicate with other external applications, and they require internal service-to-service communication. This means numerous privileged credentials, or secrets, are required to access any service, application and data. The number of secrets in a modern application can quickly scale. With greater scale and complexity, secrets are hard to keep. On top of leaked or compromised secrets, security teams don’t even know what to protect, thus making an already bad problem worse.
It is not enough to merely put in a few security practices to manage secrets. It is crucial to optimize these practices over time. Once secrets are compromised, even a novice cybercriminal can cause great damage.
Secrets management involves securing the lifecycle of credentials, tokens, passwords, and other sensitive information by consistently enforcing security policies. It protects critical assets and resources across tool stacks, platforms, and cloud environments from unauthorized access.
Secrets are non-human privileged credentials that are used to perform digital authentication when privileged users need to access sensitive applications or data. They can take multiple forms.
These are usually username and password combinations used for verification of physical users and for granting access to protected data, services, or endpoints. They are bound to a particular user.
Connection strings connect applications to a database server. So it would contain all the credentials (secrets) required to establish a connection to the target database or file.
These ensure secure communication over risky mediums and help in identity verification and user authentication. Secrets contain both encryption and decryption keys.
Secrets required to access data, resources and servers provided by cloud service providers. They contain credentials required to confirm authentication of users accessing cloud resources.
Secrets required to identify the source of an API request.
Secrets needed to make API requests in support of a user.
Secrets management best practices help minimize the risk of compromising sensitive data and eliminate the chances of unauthorized agents gaining access to critical resources. They help in ensuring complete protection at every phase of a secret’s lifecycle – from creation to deletion.
Managing and securing the integrity of secrets is a hard task with no room for failure. There are numerous factors that need to be taken into account. Therefore, it’s easy to give in to bad practices that lead up to major pitfalls.
Hardcoding or embedding credentials into the source code of an application is risky and can be used by malicious actors to grab access keys, escalate privileges, view secrets, and gain unrestricted access to cause all sorts of damage. A lack of revoking user credentials and periodic rotation of keys can also lead to intruders getting hold of sensitive data and breaching the security of an organization.
When secrets are scattered throughout a system in plain text, it can create several issues but the most significant ones are a lack of visibility, control, and an abundance of unknowability. If secrets are littered across an infrastructure, there is no way of finding out where a breach is and how to fix it.
Organizations need to set clear rules of security policies to secure and control all stages of a secret’s lifecycle.
Secrets are passwords, connection strings and any information that, if exposed, can put an organization at risk. It should only be known to an application and the authenticated users and services. Other information present in a system like identifiers need to be shared selectively which means although they are public, they shouldn’t be guessable by third parties.
Identifiers also need to be unique across all clients of an authorization server. Passwords and keys associated with identifiers usually classify as secrets. Identifiers are at significantly lower risk than secrets and that is precisely why it’s important to have a clear differentiation between them. Secrets need to be managed better than information like identifiers are managed because they carry a bigger risk of causing significant damage to applications and enterprises if leaked.
A system has multiple parts – some that can be completely trusted, some that can be partially trusted and some that are so vulnerable that they cannot be trusted at all. It is important to identify these parts so that a circle of trust can be established. It is best to reveal secrets only to entities that can either be completely trusted (CPU, RAM etc.,) or partially trusted (employees with explicit privileges) and are a part of the circle of trust as this reduces the risk of a breach.
When secrets pass through a system, it goes through multiple steps and various entities. Each step is a link and all the links together form a chain. It is crucial to have complete visibility across the entire chain. This helps eliminate blind spots that can be vulnerable to infiltration. It also helps have control over what trusted parts of the system have access to the secrets.
Ensure that all sensitive data is encrypted by a key management service (KMS) as it encrypts data at multiple levels making it extra secure. It helps encrypt entire files and individual pieces of data within that file with different encryption keys. This helps control what part of a data is shared and what is withheld.
Once in use, a secret should be changed periodically. When secrets stay the same for a long time, multiple people get access to it and can end up compromising it. These compromised secrets can either be unconsciously leaked by employees or be hacked by malicious agents.
Automated machine-generated passwords are random and unique which makes them less susceptible to hackers. Manually generated passwords can be easily cracked which is why they need to be ditched in favour of automated password generation.
Secrets management platforms are software applications that are designed to securely store secrets. They prevent secrets from being embedded in code or saved in any part of the system that is unnecessary and insecure.
Users and applications that have high privileges also have access to sensitive and critical data and resources. So, this can become one of the key ways of leaking data, either consciously or unconsciously. This is precisely why it is important to follow the principle of least privilege wherein any user or application is given only those privileges that are needed to accomplish their task. If a user doesn’t require an access, they shouldn’t be given one.
Additionally, privilege elevation should be granted for a valid reason and should be limited in time. Privileged sessions should be closely monitored to improve oversight and accountability.
In spite of following best practices, some kind of compromise or infiltration is inevitable. When this happens, the most important part is being able to detect unauthorized access. The quicker it is detected, the easier it will be to resolve it with minimum damage.
Managing and storing secrets is a big challenge that requires surveillance from even the most experienced developer. This is why enforcing secrets management best practices helps organizations establish standard security rules and procedures that protect secrets at all stages of its lifecycle.
DevOps has evolved into a standard practice of software development. According to…
Logging in to websites to access your accounts isn’t as secure as…
Today’s businesses and enterprises are heavily dependent on software and applications for…
Cookie | Duration | Description |
---|---|---|
__hssrc | session | This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session. |
cookielawinfo-checkbox-advertisement | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category . |
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
elementor | never | This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time. |
JSESSIONID | session | Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests. |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
Cookie | Duration | Description |
---|---|---|
__cf_bm | 30 minutes | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. |
__hssc | 30 minutes | HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. |
bcookie | 2 years | LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID. |
lang | session | This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website. |
lidc | 1 day | LinkedIn sets the lidc cookie to facilitate data center selection. |
messagesUtk | 1 year 24 days | This cookie is set by hubspot. This cookie is used to recognize the user who have chatted using the messages tool. This cookies is stored if the user leaves before they are added as a contact. If the returning user visits again with this cookie on the browser, the chat history with the user will be loaded. |
Cookie | Duration | Description |
---|---|---|
__hstc | 1 year 24 days | This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session). |
_ga | 2 years | The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. |
_ga_1HW5JYG3DC | 2 years | This cookie is installed by Google Analytics. |
_gat_UA-191589358-1 | 1 minute | A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to. |
_gcl_au | 3 months | Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services. |
_gid | 1 day | Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. |
hubspotutk | 1 year 24 days | This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts. |
Cookie | Duration | Description |
---|---|---|
bscookie | 2 years | This cookie is a browser ID cookie set by Linked share Buttons and ad tags. |
test_cookie | 15 minutes | The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies. |
Cookie | Duration | Description |
---|---|---|
AnalyticsSyncHistory | 1 month | No description |
li_gc | 2 years | No description |
UserMatchHistory | 1 month | Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences. |