USA +1 855 726 4878  |  BR +55 11 3069 3925 

How to Properly Manage Secrets in Development Projects

by | Mar 21, 2022 | BLOG

Secrets like passwords and ssh keys are scattered throughout the software development process. However, few people can access this data. Controlled access is still a major challenge for development teams, due to difficulties in managing this information and adopting non-recommended standards.

The standards that can compromise the security of a system include weak passwords, a topic already addressed here in senhasegura‘s blog.

However, in this article, we will bring more details about the management of secrets in development processes. To facilitate your understanding, we divided our text into the following topics:

    1. What Are Secrets?
    2. Challenges to Manage Secrets in Development Projects
    3. Password Management: Non-Recommended Standards
    4. Five Key Practices for Secret Management
    5. Conclusion

Follow our text to the end!

  • What Are Secrets?

All authentication credentials used in applications and services in an IT structure are considered secrets. This includes passwords, ssh keys, API keys, OAuth tokens, and configuration files.

Secrets management can be viewed as enhanced password management, which includes creating, rotating, revoking, and storing credentials.

After all, the scope in this case is broader, but the purpose remains to protect against unauthorized access to data and systems, data losses, and breaches.

Secrets management contributes to cybersecurity in three instances. They are as follows:

  • Infrastructure Security – It prevents users, devices, applications, and other network elements from being invaded;
  • Cloud Service Security – It allows you to limit and manage access to cloud-based services;
  • Data Security – It makes it possible to protect critical systems, among other resources against data losses and breaches.

Another advantage of secrets management is to help bring organizations into compliance with the requirements of demanding cybersecurity standards, such as FIPS, NIST, and HIPAA.

  • Challenges to Manage Secrets in Development Projects

Secrets management involves some difficulties. Next, let’s point out the most common ones. Check it out:

 Lack of Visibility

With the migration of IT infrastructure to the cloud, the number of resources, systems, applications, and accounts changes frequently. As a consequence, the places where secrets are stored also change. 

Therefore, for an organization to remain secure, it is essential to know clearly where this information is stored. What’s more: A lack of visibility can also create obstacles to managing these resources, or when going through an audit.

 Lack of Management Policies 

To meet the criteria of security regulations and facilitate the control of the life cycle phases of a secret, companies must define rules in security policies, which does not always occur. 

 Manual Management

Most organizations do not use automated secret management capabilities to manage their digital credentials yet. In this way, they delay the management process and make the storage of secrets more vulnerable.

  • Password Management: Non-Recommended Standards

Many organizations still have non-recommended standards in their password management routine. Here are a few:

 Weak Passwords

Due to the difficulty in memorizing complex passwords, many people adopt simple and easy-to-remember codes. However, this is one of the main vulnerabilities when it comes to password management. After all, easy-to-remember passwords are just as easy to crack.

Also, malicious agents can discover embedded and encoded passwords with the help of verification tools, by performing a brute force attack or simply guessing.

 Password Sharing

Many companies use shared accounts and passwords to manage their systems, making it impossible to identify who performed each action within an online environment in the event of an incident.

In addition, their employees can share passwords with co-workers or others, facilitating the action of attackers interested in sensitive organization data. 

 Storing Secrets in Plain Text

It is common for employees in a company’s department to use text files that contain all passwords for critical situations or forward messages to colleagues with the necessary secrets to access a resource.

Nevertheless, these practices pose risks to the cybersecurity of organizations: attackers only need to obtain a file, message, or email to have tools to hack a system. 

 Reuse of Secrets 

It is also very common to reuse secrets for different services in order to facilitate their memorization and save time. However, if one malicious user discovers one code, the others will also be compromised.

 Unrevoked Secrets 

NIST has as a criterion the revocation of user credentials when necessary. This should occur in the event an employee is fired or a contract with a third-party supplier is terminated, for example. However, this security procedure is not followed by all organizations.

 Secrets Without Rotation

Various security standards dictate that passwords be changed within a given time frame, as do application keys and other types of secrets. Once again, it is not all companies that follow this recommendation. 

Are you enjoying this post? Join our Newsletter!

Newsletter Blog EN

3 + 8 =

We will send newsletters and promotional emails. By entering my data, I agree to the Privacy Policy and the Terms of Use.

Five Key Practices for Secret Management

There are several ways to provide a secure method for protecting secrets. The following are five important steps to achieve this goal:

 Centralized Secrets Management

First, you should centralize your secrets in one place to ensure more security and facilitate their management. This makes it easier to build governance, security, and auditing to know who accesses this information and when it is accessed. 

 ACLs (Access Control Lists)

Once you have your secrets centralized in one place, make sure the right people have access to them. To do this, you can create human, machine, and application ACLs that give you control of that access. 

 Temporary Credentials

The third and fourth actions must occur simultaneously: they consist of having dynamic secrets. In practice, to ensure dynamic secrets, individuals and entities must be given temporary credentials to access the systems. 

Encryption

As mentioned, it is important that data in transit or at rest can be encrypted, with encryption keys centralized in secrets management.

 Audit

Now, you might be wondering how to audit your secrets management and know what was accessed by which user. 

Each dynamic secret can be used by a single user, who is properly authenticated when retrieving this information, and encryption as a service allows you to know who accessed an encryption and decryption operation. All of this can give you a complete picture of everything that happens in your IT infrastructure.

Conclusion

  • By reading this article you have learned what secrets are, how they should be managed, and what are the biggest challenges in managing this information. You were also able to understand which standards are not recommended in password management, such as:

  • Weak Passwords;
  • Password Sharing;
  • Storing Secrets in Plain Text;
  • Reuse of Secrets;
  • Unrevoked Secrets; and
  • Secrets Without Rotation.

In addition, we presented five fundamental practices for good secrets management. 

Did you like our text? Share it with someone interested in this information. 

 

ALSO READ IN SENHASEGURA’S BLOG

Learn All About Passwordless Authentication

How Does Pam Help Protect Healthcare Organizations?

Multifactor Authentication: How to Benefit from This Security Strategy

$13 million growth investment drives senhasegura’s expansion in North America and the Middle East

Written by Priscilla Silva São Paulo, March 10, 2023 - senhasegura, an award-winning Privileged Access Management (PAM) solution provider that protects corporate IT environments and critical resources from cyber threats, announces a $13 million funding round from...

senhasegura wins CyberSecured 2022 award as best PAM solution in the USA

Written by Priscilla Silva SÃO PAULO, February 28 of 2023 - The 2022 edition of the CyberSecured awards, promoted by Security Today magazine, a brand of 1105 Media's Infrastructure Solutions Group, elected senhasegura as the winner in the Privileged Access Management...

How User and Entity Behavior Analytics Helps Cybersecurity

Cyberattacks are increasingly sophisticated, making traditional digital security tools insufficient to protect organizations from malicious actors. In 2015, Gartner defined a category of solutions called User and Entity Behavior Analytics (UEBA).Its big advantage is...

Best Practices for Consolidating Active Directory

This article was developed especially for you, who have questions about the best practices for consolidating Active Directory. First of all, you need to understand that directory services have the role of organizing important information for companies in a centralized...

senhasegura introduces the “Jiu-JitCISO” concept to show the power of Brazilian cybersecurity

Written by Priscilla Silva São Paulo, January 13, 2023 - "Like Jiu-Jitsu senhasegura is about self-defense. Every company must know how to protect itself and its clients". This is the aim based on the philosophy of the Japanese martial art, but made popular and...