Select Page

Quick tophat:

If you have 8 minutes I’d really appreciate your support with my secret delivery and audit research, by completing this anonymous questionnaire:

Have you ever accidentally exposed a password, api key, or other secret?

Guilherme Stecanella, Unsplash

The romantic version of this is like putting a message in a bottle afloat on the sea. Will anyone notice? Will they do anything with that information? Report the exposure? Address whatever led to the exposure? Abuse the secret?

Here is a non-exhaustive list of ways to lose a secret:

  1. store unencrypted in source control
  2. store in a file widely accessible to build/deploy agents or applications
  3. store in CI/CD system ‘secret’ store, but implement no access control for users or jobs
  4. build into an application artifact
  5. store in environment variable and leak to other process in execution context (shell)
  6. print it on a command-line when starting application
  7. print it in a build, deploy, or application log

I’m sharing this list as a reminder of how hard it can be to safeguard secrets throughout an application’s development, deployment and operations.

Are there any big exposure vectors that I missed? Any stories you’d like to share? I’d especially like to hear from you if the way your handle secrets is great. Maybe we can share those practices.

Historically, I’ve found it very difficult to handle secrets safely in CI/CD systems. CI/CD systems often aren’t integrated with Enterprise secret vaults so that pipelines can use secrets safely. Also, secrets are often put into environment variables that are easy to leak accidentally with an errant echostatement or when using set -x to debug the flow of a Bourne-style shell script.

Seems like there is kindling laying around everywhere just waiting to be set alight to burn secrets.