CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

Is secrets management a solved problem? Panel discussion

Experts discuss the persistent challenge of secrets sprawl despite available tools and technology. Panelists include Mackenzie Jackson, James Governor, Andrei Predoiu, and Mike Carey.

Video Transcript

so I want to I want to bring up something that's kind of controversial I'm putting this slide in here because I disagree with it but I I I like the person that said it uh so during a during a quote one of the things that I said is while secret sprawl is a problem most companies experience it's not hard to solve so I disagree I think it's very hard to solve uh completely but I wanted to kind of get your perspectives on this so Mike I'll start with you uh is secrets for all uh as someone who creates a secret manager that that helps to combat this do you feel that secret scroll uh is something that you know can be can be easily solved or at least solved um I I honestly that sort of sounds like famous last words um I'd be I'd be very worried to speak something like that because you're you're asking for trouble um but it's uh I think the reality is is secret sprawl is is an ever-evolving challenge um you know your organization nothing is static everything's growing um organizations grow and and even recently with you know the increase in remote uh workforces that's introduced a whole new set of problems um you no longer have the physical security of an office you don't have the security of a of an office Network everyone's on their personal networks each might have vulnerabilities then digital Communications now I mean you mentioned people sharing secrets in slack I'm sure that has increased over you know with remote workforces do you have screen sharing you could slip up and expose a secret through a screen sharing session accidentally commit a secret um there's all all kinds of uh challenges and and they will continue to grow so I don't think it's it's never a problem that can be 100 solved it's a it's more of a of a strategy that needs to be implemented and continuously uh monitored um and I think it really sort of starts at at the organizational level and and on every CSO should have secrets management and secret sprawl uh front of Mind regardless of the size of their organization um because we all know you know a single secret leaked can just send shock waste through an organization so uh it is super important um and it pains me to read this this quote yeah well I mean I I I I really like Brian and one of the things that I say I guess is a little bit controversial too kind of along the same lines is that Secrets rule could be a solved problem in the terms that we have all the technology to solve it right like we we have the ability to have secrets managers we can share secrets securely we can store Secrets securely uh you know we can we we technically we can do it it should be a solved problem but it's not um so that's uh one area uh James to say to that I mean with every problem in the world the the human factor is the Wild Card yeah we can solve it with technology but the humans are the ones who will make the mistakes the humans are the ones who are going to accidentally leak a secret so um that that's what I mean by it's an ongoing um challenge that you always have to be addressing because uh even if you have everything in place to technically uh remove the challenge of secret spiral they're still humans involved and they're the ones who are interfacing with these secrets so yeah absolutely I mean even these secrets they're made to be used programmatically from machine to machine but humans still need to get their grabby hands on them and touch them and put them places they shouldn't yeah um I would say that it is somehow straightforward to do on a technical level but the people factor is also very very important and I think uh the technical side is just work you have to do you read up you study up you see what the technology is and you implement it you follow the guidelines but changing people's behavior can be a lot more difficult at the end of the day in my opinion and I have a funny story there we automated the DNS provisioning in our kubernetes clusters it's quite straightforward to do and then we said okay you do it like this and you don't have to get access to our DNS or do any of that and then somebody got the service account credentials from the cluster and we found it in a git repo so you know look it happens so we have uh uh the the website that we have again someone post it in the chat because I feel like I'm going to get it wrong but it's uh uh shitty shitty secret management.dev or or secretstory.div someone can post that in the chat from get Guardian there's a website that we have where people can share their funny stories about how credentials have leaked um and there's some there's some doozies on there I gotta say just before we move on uh James do you know do you does do you have a kind of an in you know an opinion of this as well yeah I mean um I think the kubernetes example uh was was was absolutely on point we see this again and again um with the best will in the world and the best Automation in the world um you are you're still we're dealing again with humans and humans make shortcuts and uh humans uh make mistakes and and yeah um you know I think that that we're we're going to be in a world of of mitigate you're always in a world of mitigating risk you cannot eliminate risk um you know as a as as a parent you know my sort of my job um I think very often is risk management and you don't want to go too far um there have to be some freedoms there but clearly you need Gabriels and stuff occasionally our stuff will go wrong so um you know uh secret sprawl um is is is is is you know um again I I I don't I don't think we ever get 100 in anything when it comes to technology yeah definitely and uh just just in case everyone I I just want to say that there that this wasn't there to shame and you want to Doppler or Brian it I just put this in there because it's controversial and uh uh you know an interesting talking point and you know I I'm sure if he was here he'd be able to defend himself but uh he's not so we'll move on so but why why why uh why is it harder why in my opinion so this is a great thing about being a moderator is that when it's my time to speak I can actually have slides that go with what I want to say so it's totally unfair but I'm gonna take the advantage but you know it's the reasons why I feel like this it's very hard to solve this problem is because uh it's really hard to catch them all without having any false positives everyone that works in security is affected by something called alarm fatigue so you know how do we capture all the secrets without kind of being alerted by too much Lance it's difficult secrets are everywhere so they're in the slacks we've talked about it they're sprawling around uh death keeps growing so when you don't have a proper Implement in place when you don't have secrets managers in place to to be able to solve this or detection then the problem gets harder and harder to the point where when we roll that git Guardian we'll find thousands of Secrets and there's almost so overwhelming that you don't even want to look at the problem anymore because how can a team of two people deal with 3 000 incidents uh you know and move forward so there's another issue of kind of why it kind of gets put off because once you know that you once you know the secrets of the year you have to do something about it if you don't know that there you don't um and then you know redeploying them revoking them going through the process it's not a matter of just finding a secret you have to you have to go through the steps of actually changing it so that's kind of what I kind of look underneath the service um but I do you know I do agree that the point that you're technologically it's solved on paper it's solved but we still can't get there [Music] thank you foreign foreign