Avocado’s DevSecOps Maturity Model whitepaper outlines a structured approach to integrating security across the entire DevOps lifecycle. Central to this model are four key pillars aligned to NIST Framework: Prepare Your Organisation, Protect Your Software, Produce Well-Secured Software, and Proactive Response to Vulnerabilities. As part of our fast, safe and secure series, we unpack each pillar.
This blog focuses on “Pillar 2 – Protect Your Software,” emphasising secrets management—a critical component for safeguarding sensitive information such as API keys, passwords, and tokens throughout the development lifecycle.
Why is it important? Developer and machine identities are the key players in innovation and cloud, but they also hold the keys to the kingdom. The latest CyberArk Identity Threat Landscape report states that 80% of organisations experienced an identity breach due to a software supply chain attack, exposing cloud security concerns such as data theft, privacy non-compliance, and secrets leakage. Traditional ways of securing secrets are no longer sufficient, especially with the rapid rise of non-human identities. Read on to find out more.
DevOps teams understand the importance of Agile delivery, with continuous workflow between Development and Operations teams. However, as security concerns arise, overlaying security on the application delivery process can challenge the objectives of DevOps, impacting efficiency, security, and scalability.
Securing enterprise credentials, one of the most vulnerable attack surfaces, is crucial. This includes secrets used in CI/CD pipelines, DevOps automation tools, applications, and other non-human identities. These secrets can create complex vulnerabilities that lead to accidental exposure or unauthorised access to critical assets.
Common Risks in Secrets Management:
- Vault sprawl – a secrets store for every project;
- Secret Zero – one master key to secure all other secrets;
- Secrets Islands – a secrets store for each tool;
- Hard-coded secrets within DevOps tools and,
- Cloud integrations secrets exposure.
By addressing these risks, organisations can better protect their software and maintain the integrity of their development processes. Below, we dive deeper into the top three challenges that developers face and explore developer-friendly solutions to secure enterprise secrets.
Challenge 1: Secure Storage and Retrieval
With speed, often comes shortcuts that make storing secrets easier for the development team but that increase technical debt. This slows when cumbersome security mandates are placed on DevOps managers and SRE leaders for storage and retrieval, impacting the Developer Experience and overall business outcomes.
In both scenarios the outcome is greater complexity in the long run. Shortcuts lead to vault sprawl resulting in too many secrets to maintain, no rotation; secrets islands create silos resulting in inconsistent security policies and audit data; and hard coding gives no control to the security team to secure enterprise and often leads to confusion in the ownership of risk.
The fact is, that ensuring the secrets are stored securely, whether in configuration files, databases, or centralised storage mechanism, is critical to an organisations cyber maturity.
At each stage of the application delivery process, organisations need storage solutions that offer the performance and capacity essential for maintaining productivity. Simultaneously, there is a need to reduce administrative overhead and minimise storage provisioning delays, ensuring that individuals can focus on their primary tasks without interruption.
Challenge 2: Integration to Application Code
It is common for developers to hard code secrets within developers’ tools. Embedding secrets directly into code can lead to exposure and credential theft.
Risks arise in multiple ways. For example, credential secrets can easily be extracted by local discovery or unauthorised access to Devs tools, exposing your secrets. Secondly, hardcoding secrets into source code can present issues when the organisation needs to rotate keys or change passwords – meaning the code would need to change, and the application recompiled and redeployed.
Developers need to find a balance between security and code simplicity.
Challenge 3: Credential Rotation
Generally, greater reliance on manual processes for managing secrets correlates with an elevated potential for security vulnerabilities and improper practices. The absence of password rotation, reliance on default passwords, incorporation of embedded secrets, sharing of passwords, and the use of simplistic, easy-to-recall passwords all contribute to the compromised confidentiality of secrets, increasing the risk of breaches. Further, manual credential rotation increases human error while maintaining the secret.
Implementing automated processes for regularly rotating credentials can also be a challenge. Developers need to ensure that the rotation process does not disrupt the application’s functionality and that new credentials are seamlessly updated.
With faced with so many challenges, how can developers best overcome their concerns?
A centralised approach to securing secrets ensures Security and IT teams are aligned and secure. The infographic highlights this further. When it comes to Secrets management practices during development, two territories diverge: bad and good. As this infographic depicts, bad (decentralised) Islands lead to sprawl – scattered secrets across multiple Islands (vaults) and tools (ships) which are vulnerable to threats, complexity, and technical debt. However, good (centralised) Island offers an integrated fortress guarded by vigilant DevOps and Security armies with encryption, access control, and automation. Security and IT objectives are aligned – strengthening defenses while delivering with speed among clear waters!
Adopting Best Practice
Some best practice approaches to adopting secrets management to secure enterprise include looking at architecture, policies and culture:
Architecture
• Centralise secrets management to reduce security islands, vault sprawl, and improve compliance.
• Adopt zero-trust architecture.
• Automate secrets rotation.
• Implement real-time monitoring for fast remediation of suspicious activities.
Policies and Procedures
• Undertake a threat and risk assessment/ third party risk assessment to see where your risks lie and build a tailored roadmap.
• Ensure security teams consistently implement policies that define the minimum complexity standards for passwords and approved encryption algorithms across the entire organisation.
Culture of Collaboration
• Help developers understand their risks, and security teams on how new tools and procedures could unburden the DevOps team.
• Gain visibility and adjust methodologies by incorporating DevSecOps into the development cycle.
A look at a leading centralised secret management solution
CyberArk’s Secrets Management platform solves the problems of secret zero and security islands by providing a single consistent interface and vault. It uses secrets management best practices, including strong authentication, role-based access control (RBAC), credential rotation, management, and audit.
CyberArk’s Secrets Manager is designed to secure secrets and credentials used by a broad range of application types in on-premise, hybrid, cloud-native, and containerised environments. Secrets Manager comprises of Conjur Enterprise and Credential Providers that facilitates securing all application secrets across the enterprise. CyberArk offers Conjur Cloud and Secrets Hub SaaS solutions to allow customers to start secrets management quickly and remove the operational burden. CyberArk understands the importance of securing non-human identities in a way that won’t get in the way of developers. Talk to Avocado about a demo.
How secure is your software pipeline?
Take the mini self-assessment now! Do you know where your team sits on their DevSecOps maturity and what steps they can take to secure their software supply chain? Self-assessing your current maturity level to identify your gaps
Final thoughts
Overall, addressing these development concerns requires a combination of technical solutions, developer training, and a commitment to incorporating security into the development lifecycle. Developers should work closely with security teams to implement effective secrets management practices throughout the software development process for a secure enterprise. By doing so, security teams get full visibility of their attack surfaces and take control of access controls, while developers can continue to innovate at speed.
How can Avocado help secure your enterprise?
Avocado offers a holistic approach that combines strategic planning, technical expertise, and hands-on implementation following industry standards and best practices. With our Certified consultants and Managed Services team, Avocado can significantly deliver industry leading Secrets Management solutions to meet customer’s identity security practices and improve overall cybersecurity posture.
Keep reading our related content!
We’re the first fully-certified CyberArk ‘Secrets’ Partner
Avocado Consulting announces an expanded collaboration with identity security leader CyberArk across Australia and New Zealand, aimed at securing enterprise secrets
