Web applications often require secrets like API keys, passwords, and private certificates to function, but storing and accessing these resources can leave developers vulnerable to security risks.
In this article, you will learn about the challenges of secret management as well as some of the best practices for managing, storing, and reading secrets in web applications.
Secrets are digital credentials used for authentication and authorization. They manage access rights at both the human-to-application and application-to-application levels.
Common types of secrets include:
Secrets provide users and applications with access to sensitive data, systems, and services. This is why it is critical to keep secrets secure in transit and at rest.
The most frequent method for storing secrets has been to use .env
files, often known as environment variables; however, these files can expose data to unauthorized users, and manually managing the files can lead to errors.
For more details on the risks posed by .env
files, read here.
Secret management offers a more secure alternative.
To understand secret management, you first need to know the secret life cycle.
A healthy secret should follow this process:
Generation/creation: The secret is generated either manually by the user or automatically as required. Passwords generally adhere to a policy that governs their creation and use.
Rotation: Once a secret is in use, it should be changed on a regular basis, either automatically created or through a prompt for manual creation. If a secret is stale or expires, access is blocked until the secret is changed.
Revocation: When a secret is no longer needed or wanted—for example, when an employee leaves a company or when suspicious activity is found—it is deleted from a user or program, effectively blocking access to the resource. Pruning out unnecessary, expired, breached, or weak secrets is an important step in maintaining excellent secret hygiene.
Secret management is the process of safely and efficiently managing the production, rotation, revocation, and storage of credentials throughout the secret lifecycle. Think of it as an improved version of password management. While the scope of managed credentials is broadening, the purpose remains the same: to protect vital assets from unwanted access.
Secret management reduces or eliminates user participation in the administration of secrets in order to limit potential points of failure.
In general, it contributes to security on three levels:
Infrastructure security prevents unauthorized access to user and application accounts, devices, and other network elements.
Cloud service security restricts and manages access to cloud accounts and critical cloud-based services.
Data security prevents data compromise on vital systems, storage, databases, and other resources.
However, implementing secret management means integrating security measures into the most vulnerable levels of an organization’s infrastructure—clouds, code, data, and devices—which can be difficult.
Some of the common risks to secret management include:
Incomplete visibility and awareness: This is a particular flaw in decentralized models in which admins, developers, and other team members keep their secrets individually, if at all. The oversight here means there are sure to be security gaps as well as auditing challenges.
Hard-coded/embedded credentials: Applications and IoT devices are supplied and deployed with hard-coded, default credentials that are easy to crack using scanning tools and simple guessing or dictionary-style attacks.
Privileged credentials and the cloud: Cloud and virtualization administrator consoles (such as those provided by AWS or Office 365) grant users extensive superuser privileges, allowing them to instantly spin up and spin down virtual machines and applications at a large scale. Each of these virtual machines has its own set of privileges and secrets that must be controlled.
DevOps tools: DevOps teams generally use multiple tools and technologies for orchestration, configuration management, and other purposes (for example, Chef, Puppet, Ansible, Salt, and Docker containers), which rely on automation and other scripts that require secrets to function.
Third-party vendor accounts/remote access solutions: It is difficult to ensure that the authorization provided via remote access or to a third party is appropriately used.
Manual secret management processes: More manual secret management techniques imply a higher risk of security flaws and mistakes.
However, there are solutions and best practices to address these issues and keep your sensitive data safe.
There are several methods you can use to provide a safe and secure way for your users and apps to retrieve what they need to access systems.
Here is what you need to do to build an efficient secret management system within your organization.
First, you need to centralize your secrets. Many projects store secrets in version control systems such as GitHub, Bitbucket, and GitLab.
Centralizing your data makes it easier to control who can access secrets and at what times.
To centralize secrets, you can save them in a database or use a Secrets Manager.
Read more about Secret Managers here.
A unified secret management policy should provide stringent guidelines for the structure of secrets (minimum length, complexity, usage of special characters, forbidden passwords, reuse, and duration) while prohibiting the use of default or hard-coded secrets.
Some fundamental features should be included in this policy:
When actions aren’t automated, you run the risk of damage caused by human error. Try to rely on technology rather than humans to develop, manage, disseminate, and maintain secrets and remove any hard-coded or embedded secrets.
Provide temporary credentials to unique individuals or entities at the granular level, also known as dynamic secrets, so that in case of any breach, the affected credentials can be revoked without affecting the entire development infrastructure.
At the very least, different sets of credentials should be created for different production systems or teams, ideally for each environment.
Secrets should be encrypted in transit and at rest so as to ensure maximum security within the network.
Your encryption keys should be consolidated in the secrets management solution, allowing you to establish proper control over who has access to those keys.
To improve oversight and accountability, employ privileged session monitoring to log, audit, and monitor all privileged sessions for accounts, users, scripts, and automation tools.
Capturing keystrokes and screens is also an option, allowing for live view and playback.
Some business privilege session management solutions also allow IT teams to detect suspicious in-progress session behavior and halt, lock, or terminate the session until the activity can be thoroughly investigated.
Take advantage of the distributed nature of today’s networks. Keep secrets and sensitive data separate rather than concentrating them in the same location. This makes it easier to use and update secrets within the development infrastructure.
Secret management is critical for preserving an organization’s cybersecurity. Your organization should develop a core secret management strategy that defines uniform rules and processes for all phases of a secret’s lifecycle in order to manage secrets securely and effectively.