All your secrets are belong to us
Introductory and overview
Admit it: we've all checked in an API key or password to a repo at some point... Oops... No one wants their secrets to accidentally leak, so this session is your essential refresher on secret management (and mismanagement!) for your applications and beyond!
Let's explore the range of methods and benefits of securely handling secrets for local development: from features baked into your IDE (Visual Studio, Rider), to secret management services (Azure KeyVault, AWS / GCP Secret Manager), and even loading them from your password manager of choice (i.e. 1Password). We'll progress to look at accessing secrets as part of a CI/CD pipeline, or loading them into infrastructure at runtime, to eliminate hard-coded secrets from every aspect of our projects.
What about when things inevitably go slightly wrong...?
We will follow the stories of a few real world breaches: what went wrong, how we responded, the lessons we learnt, and how that feeds back into our processes.
I will discuss the processes we have implemented with our clients to manage secrets on a large scale – including following a least trust approach, methods for revoking and cycling credentials, and appropriately mapping our dependencies so we can measure the impact of a change.
Finally, we will look at the ways automation can help, including configuring automatic secret detection tools (GitHub and Azure DevOps) and CodeQL checks in our pipelines.
Let's explore the range of methods and benefits of securely handling secrets for local development: from features baked into your IDE (Visual Studio, Rider), to secret management services (Azure KeyVault, AWS / GCP Secret Manager), and even loading them from your password manager of choice (i.e. 1Password). We'll progress to look at accessing secrets as part of a CI/CD pipeline, or loading them into infrastructure at runtime, to eliminate hard-coded secrets from every aspect of our projects.
What about when things inevitably go slightly wrong...?
We will follow the stories of a few real world breaches: what went wrong, how we responded, the lessons we learnt, and how that feeds back into our processes.
I will discuss the processes we have implemented with our clients to manage secrets on a large scale – including following a least trust approach, methods for revoking and cycling credentials, and appropriately mapping our dependencies so we can measure the impact of a change.
Finally, we will look at the ways automation can help, including configuring automatic secret detection tools (GitHub and Azure DevOps) and CodeQL checks in our pipelines.
Session prerequisites and resources may be available.
Sign in to access
Speaker
Callum Whyte
.NET Developer, Microsoft MVP
Bump Digital
Microsoft MVP
Callum Whyte is a x6 Microsoft MVP and x8 Umbraco MVP specialising in building robust scalable solutions on Azure and the .NET stack, as well as websites with the open-source Umbraco CMS. By day he heads up the award-winning team at Bump, across the UK and Australia.
Away from his desk you can fi...
View Full Profile