Thar be Dragons in Application Secret Delivery Processes

I am pleased to share the 2019 State of Application Secret Delivery and Audit Practices report with you.

As you may recall, I have been investigating DevOps Practitioners’ processes for delivering secrets to applications and​ analyzing those processes for threats.  The study gathered data from practitioners using interviews and a survey offered through DevOps-focused forums, primarily the Phoenix DevOps Meetup and this #NoDrama DevOps Mailing List.

Thank you to everyone who shared their experiences and insights with this study. Every response you provided improved this research and it is much appreciated.

This research and analysis sends a clear signal on several matters that are important for DevOps practitioners:

  • 70% of responding DevOps practitioners are not satisfied with their application secret delivery processes
  • Lack of satisfaction with the secret delivery processes indicates risk is around the corner about 50% of the time
  • Most practitioners lack tools to audit and detect unauthorized secret use 

The biggest challenges to secure application secret delivery processes are:

  • Engineering staff lack understanding of how to solve The First Secret Problem. Unique combinations of secret vaults and deployment platforms complicate the Problem.
  • Applications or delivery tooling do not support safe secret management practices.
  • Practitioners need new or enhanced auditing tools to help them assure the confidentiality of secrets used by Cloud Native applications.

The report supports these statements with analysis of both quantitative and qualitative data gathered by the study. The report provides resources for improving secret delivery process, including a generalized recommendation for how to structure a secure application secret delivery project for success in your own environment.

You can download the full report from:

I truly hope you find this information insightful and helpful. This research should help you explain to others why delivering application secrets is challenging, the risks of unsafe practices, and a general approach for improving your application secret delivery process.

I’d love to hear your feedback on this research or help your team assess and improve your own secret delivery processes. Just hit reply.