According to the secrets management provider Bitwarden’s 2024 developer survey, which polled 600 developers across different industries, 86% of companies use a secrets management solution, leaving 14% who still don’t. 

A 2023 Sophos report found that compromised credentials are the root cause of 50% of the attacks its incident response team studied.  And according to GitGuardian’s 2024 State of Secrets Sprawl Report, 12.7 million secrets were detected in public GitHub commits in 2023, which was a 28% increase from the previous year. 

“Of course, that’s a massive issue for any organization who is trying to keep customer data secure. So it’s incredibly important for any developer to adhere to proper secrets management practices,” said Max Power, product lead for Bitwarden Secrets Manager.

RELATED CONTENT: Implement a good secrets management practice to reduce your security risk

Organizations know that they need to do better, but there are many things that tend to get left behind by developers when they’re under pressure to deliver faster, and secrets management is unfortunately one of them.

Nic Manoogian, engineering manager at secrets management platform Doppler, believes that in order to successfully implement good secrets management practices, teams should make it work with their existing workflows. 

“Evaluate your options and really try to make sure that whatever you’re doing fits into a workflow that’s sustainable for you, that’s probably my biggest advice,” said Manoogian.

Brian Vallelunga, founder and CEO of Doppler, agreed, saying “if you don’t tackle the building it into your workflow part, then it’s just not going to get used and then there’s no value.”

He explained that there are many ways to store secrets, from the least secure method of just storing them in text files to the most secure option of using a platform designed specifically for securely keeping the information. 

Using a secrets management system is beneficial, not just because it is more secure, but it avoids developers having to manage a patchwork of files or different systems where secrets are kept, which actually introduces more friction into development teams.

“The art and practice of secrets management is keeping those secrets secure, while also making them accessible to developers in the moments they need them with the right access controls and auditing in place,” said Vallelunga.

Vallelunga recommends making sure that your secrets management practice can be synced across teams and parts of the software development life cycle, otherwise it can lead to more issues. 

For instance, imagine a scenario where one developer adds a piece of code that requires a secret, and then other developers are working on that code too, but don’t have access to that secret. That can lead to broken builds and lost development time as developers work to track down the proper secret.

Power says “the goal is to make it as easy as possible to collaborate with these secrets and to share secrets in a secure manner across human users, but also across machine use and between services, between CD pipelines, different environments, and so on.”

According to the respondents of Bitwarden’s Developer Survey, the top priority development teams have when buying a secrets management solution is ease of integration with other tools. Other top factors include company security posture, features, the vendor’s reputation, and scalability. 

How secrets management can be a tool in building strong engineering cultures

SEO tool company AccuRanker uses Bitwarden to manage its secrets, and the company has found that having good tooling around secrets management has been important in building its engineering culture. 

Its chief technical officer Henrik Refslund says that if there isn’t a process in place or good tools to manage things, developers who are pressed for time will often resort to the easiest option available. “Ideally, in a perfect world, you want to be secure by default. You want secure to be the easiest choice for developers,” he said. 

He said that at AccuRanker, secrets management has become a part of efforts to improve the developer experience. Recognizing that we’re in a market where good developers are hard to come by and retaining developers can also be a challenge, maintaining good developer experience is a big goal for the company. 

This requires both policies and tooling that go hand in hand and support each other. “With proper tooling, we were able to set these policies, we were able to create rules and best practices …  if you deal with this right, if you create the proper processes and guidelines for this, it helps to build a sound engineering culture around security.”

The post The key to successful secrets management is to make the best way the easiest way appeared first on SD Times.

Max Power, product lead for Bitwarden Secrets Manager, said that from a development perspective, secrets include things like API keys, certificates, and SSH keys. 

“Any chain is only as secure as the weakest link,” said Power. “The same applies to organizations. We have seen in the past multiple examples of massive data breaches as a result of accidentally leaked secrets, particularly secrets that were either hard-coded or pushed in Git repos.”

According to GitGuardian’s 2024 State of Secrets Sprawl Report, 12.7 million secrets were detected in public GitHub commits in 2023, which was a 28% increase from the previous year. Over the past four years, the problem of secrets sprawl has gotten four times worse, as in 2020 only 3 million secrets were detected. 

Power says that when it comes to security, it’s important that everyone take responsibility for the codebase, from development to production to deployment, and ensure that secrets aren’t being hard-coded. 

According to Brian Vallelunga, founder and CEO of the secrets management company Doppler, there are many ways developers share and store secrets, and some are better than others. The least secure method is storing them in files on their computer. Unfortunately, Bitwarden’s Power says this is one of the most common ways secrets are stored. 

A step up from that are the people storing secrets in their cloud provider tools or building their own tools, Vallelunga explained. Developers may be storing secrets in the built-in AWS tooling, for example, but that becomes tricky because it means your secrets are all tied up in one tool. And then there are companies out there building their own internal tools for this purpose, but then start running into scalability issues eventually, he said.

The most secure method would be to use a dedicated secrets management provider that is designed for this specific purpose. Vallelunga explained that some of the added benefits of using these tools are that it makes it easier to share across teams and also offers things like access controls, auditing, and automated synchronization. 

To put this into a real-life example, say you’re integrating with a service like Stripe, which requires you to have an API key that is needed throughout the development life cycle, explained Nic Manoogian, engineering manager at Doppler.  

“So local developers, if I’m integrating with this new service, I need a test environment to try this stuff out,” he said.

He said that secrets tend to be more secure in production environments for companies with a mature security practice, but then less so in local dev environments. “Maybe your company has a really mature process for managing secrets in these upper environments and these deployments, but in the local development environments, it’s kind of like, well, I don’t know, call your manager and ask for the .env file, or we’ll just check it into code. And that comes with a whole bunch of other issues,” said Manoogian.

Vallelunga believes that in order to successfully implement good secrets management practices, teams should put up as many safeguards as possible and make it work with their workflows so that it’s as easy as possible for developers. 

When developers feel that they need to start taking shortcuts in order to get things done quicker, that is when security incidents happen, he explained. 

Vallelunga believes that as organizations begin to grow and mature, they tend to take a closer look at risk and thus address their problems with managing secrets. 

“I think companies kind of go into two modes, the first mode is to build something that is valuable,” he said. “And then once they reach that point, then it’s to protect the thing that is valuable as it’s growing. And when they get into that protect mode, they start looking at all the areas of risks. And when you’re looking at the keys to your digital kingdom, that’s probably one of the biggest areas of risks you can have. And that’s when companies really start to think about that.”

The post Implement a good secrets management practice to reduce your security risk appeared first on SD Times.

It addresses the challenges of handling secrets and configuration at scale across various cloud environments. Pulumi ESC allows teams to gather secrets and configurations from multiple sources, and organize them into hierarchical collections called “environments.”

It then utilizes them across different infrastructure and application services. It can be used alongside Pulumi IaC for streamlined configuration management or independently to manage secrets and configuration for any project.

Pulumi ESC tackles common configuration and secrets management challenges with several key design principles by allowing users to define environments that contain secrets and configurations, offering integrations with secrets stored in various providers like AWS Secrets Manager, Vault, Azure OIDC, consume from anywhere capabilities, and much more. 

Pulumi ESC is available today in preview via the new esc CLI, as part of Pulumi Cloud, via the Pulumi Cloud REST API, and has direct integration with Pulumi IaC stack configuration and new pulumi env commands.

It also supports dynamically pulling secrets and configuration from other sources of truth, including AWS OIDC, AWS Secrets Manager, Azure OIDC, Azure KeyVault, Google Cloud OIDC, Google Secrets Manager, HashiCorp Vault, and Pulumi IaC Stack References – with many more sources like 1Password coming soon.

The creators of Pulumi ESC aim to add application-level SDKs, the ability to sync configuration to external systems, a dynamic configuration provider ecosystem, and versioning requirements in the coming months, according to this blog post.

The post Pulumi releases secrets management solution appeared first on SD Times.

Now the U.S. federal Cybersecurity & Infrastructure Security Agency (CISA) is building on that work with a new roadmap specifically for securing open-source software (OSS). 

“CISA recognizes the immense benefits of open source software, which enables software developers to work at an accelerated pace and fosters significant innovation and collaboration. With these benefits in mind, this roadmap lays out how CISA will help enable the secure usage and development of OSS, both within and outside the federal government,” CISA wrote in the document for the roadmap. 

The roadmap defines two major types of open-source vulnerabilities. The first is the cascading effects of vulnerabilities for widely used open-source software. It cited Log4Shell as an example of the widespread consequences that could result from open-source software being compromised. 

The second is supply chain attacks on open-source repositories, which could result in negative downstream impacts, such as a developer’s account being compromised and an attacker using it to commit malicious code. 

The roadmap lists four key priorities: establishing its own role in supporting security of open source, driving visibility into usage and risks of open source, reducing risks to the federal government, and hardening the open-source ecosystem. 

According to CISA, this will all help it achieve its vision for open-source software, which is one in which “every critical OSS project is not only secure but sustainable and resilient, supported by a healthy, diverse, and vibrant community.”

Dan Lorenc, co-founder and CEO of supply chain security company Chainguard, feels that CISA has done a good job in segmenting the problems in this field and then prioritizing work to address them. 

He also said they did a good job at recognizing that the work needs to “happen upstream, and CISA employees will need to engage directly with communities,” though he said he still remains skeptical on how that will actually go, but is trying to stay optimistic. 

Lorenc recommends the government put some efforts into actually funding open-source projects, which the roadmap currently doesn’t address at all. 

“The government doesn’t have a great reputation for helping out with direct code or other contributions, but they do have the ability to help fund work already being done to achieve many of these roadmap items, such as memory safety, vulnerability remediation and SBOM tooling,” Lorenc told SD Times. “The government collaboration model here can’t be ‘you push, we’ll steer.”

The post CISA releases roadmap for securing open-source software appeared first on SD Times.

Docker Datacenter keeps data secure not only at rest, but also in transit. Using encryption, it offers a standardized interface for all applications that require security.

(Related: Docker 1.13 is released)

Nathan McCauley, security director at Docker, said, “Docker’s secrets-management capability is the latest security enhancement integrated into the Docker platform as part of our ongoing effort to ensure applications are safer in a containerized environment. Enterprises in the financial services and government sectors with the highest bars for security have recognized that our solution can be a cornerstone to their overall hybrid cloud security strategy. Docker secrets management, as with all aspects of security handled in Docker Datacenter, provides organizations with one security model that can be applied and managed uniformly on premise, in the cloud and across cloud providers.”

The new secrets-management capabilities are included in Docker Datacenter as part of the Docker 1.13.1 release. The product has a 30-day free trial, and it normally costs between US$1,500 and $3,000 per year per instance.

The post New Docker feature keeps ‘secrets’ appeared first on SD Times.