CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

Taming Secrets Sprawl with Doppler and GitGuardian

With every hardcoded secret, the software supply chain attack surface grows larger, opening more avenues for the resourceful attacker. Remember Codecov? It all started with a hardcoded secret, ultimately leading to the downstream poisoning of 20,000+ CI pipelines and the exfiltration of more secrets than attackers could ever dream of.

It’s time for us, developers and security pros, to take a hard look at our hardcoded secrets – or else, we accept living with the risks and consequences of secrets sprawl.

Video Transcript

hello everybody and welcome to our webinar taming secrets for all with get guardian and Doppler my name is Dwayne I am developer advocate here at uh get guardian and I'm today along with Ryan uh Ryan I want to go ahead and introduce yourself hello everyone my name is Ron I'm the developer advocate here at Doppler and uh in the next section uh coming up after Dwayne I'll be giving you a real quick overview on what secret Ops is what Doppler is and basically sharing like everything I've learned in the last two and a half years working at Doppler so uh you can manage Secrets uh in the most easiest way possible so um yeah you'll hear from me a little bit later alrighty and unfortunately we're having a little bit of problem with the LinkedIn um I tested it out and everything so give me just one second to try to fix that and we will cancel and start oh no it wouldn't be well if you are watching it on um it threw an error it literally threw an errors and it didn't fail to connect um all right well we're just gonna keep going and if unfortunately if you were trying to watch this on LinkedIn um we will send the email out to you and apologies there um let's just move on um so what we're gonna get through today is uh we'll talk about the problem of hard-coded Secrets look at a few examples how we think those situations happen uh and then talk about a maturity model of how you can map where you are as a developer and as an organization on both the secret management and the secret detection side of things so we'll hopefully you get enough time for your questions at the end um please ask those questions or use the chat backs over on the side I'll just quick a little bit of housekeeping as we get going as well uh as we're presenting various components our faces are going to shrink down go somewhere else on the screen don't be alarmed by that that's totally intended um also we'll be sharing some links throughout so don't feel you need to copy down every slide we will be sharing where all these images came from and if you have questions about that ask us the end and we will get you those resources we also have some resources laid out at the end so without any further Ado let's dive straight into the problem um problem of hard-coded secrets so when we say hard-coded Secrets what we really mean are hard-coded credentials these are the ways we encrypt and unencrypt our data and provide access to sensitive systems out there so we've written a few examples on this screen but if you're watching this um who have seen uh hard-coded out there like Ryan is there any jump to mind that you've seen very commonly over a Doppler uh if I had to guess I would say I don't know Secrets uh it should be unmuted now you're good now yeah yeah if I had to guess I'd probably say AWS Secrets because they're used in applications they're used in infrastructure um so yeah I'd say that it'd have to be in their top three excellent um yeah it's it's definitely a growing problem and the problem is that that you've hard-coded a secret the problem is that those get shared then the most common place we see code getting shared in the world is out on GitHub and unfortunately we're seeing a lot of people accidentally share secrets out there so get Guardian every year puts out the state of secret sprawl report last year we saw over 6 million Secrets hanging out in public GitHub repositories doesn't increase year over year over 2x increase the number that really bothers me about all of this in the bigger area of concern is that we're seeing on average three out of every thousand commits and contain a secret and that's a 50 increase over the previous year uh this is this is not a good state of things um if it was just GitHub this would be bad enough but the problem is it's not just hard-coded secrets in that code base we're shipping to GitHub Docker images are also very susceptible to this Docker is awesome in a lot of ways it helps us build really scalable applications and do some really cool stuff in devops uh I ideally you get sort of the problem but worked on my machine um it does help people share those setups to get going really quickly with certain specific Stacks over almost nine million so over 8.8 million but closer to 9 million right now Docker images are publicly available out there on Docker hub We examined the about 10 000 randomly selected ones uh here at get guardian and saw that uh about four point six two percent contained at least one secret but the amount of Secrets we found was astounding if someone's leaking a secret they're not just seeking one secret they're leaking a lot of secrets on average across the board we're seeing six Secrets per hundred layers of Docker uh images so for those of you who might not be familiar with Docker images a layer is basically the unit of of work the unit of of the how you measure how complex a Docker image is uh it's kind of like a commit so excuse me if you're a Docker expert out there and don't like that definition feel free to put your own definition of players out there in the comments um but anyway the point is there's a lot of secrets that are being leaked out there and it's not a good situation and we're talking about public things but private repositories and those private images that we're not planning on sharing there's a bit of a false sense of safety we get with that um you made a good analogy uh one of our discussions right um like if you have passwords laying around your house you're probably not going to leave your banking password even though it's your house even though it's privately where you live you're still not going to expose that level of secret there but that's something we're seeing a lot of companies do time and time again uh on average we're seeing a company of about 400 developers will have over a thousand unique secrets in their code bases when we're working with them if we think about how organizations are structured that's almost three and a half thousand Secrets per appsec engineer because well you're in your best companies it's about a hundred developers to every security engineer so the teams that are supposed to be taking care of this are just overwhelmed so we really do need a way to shift left and get everyone on board everyone on that same team but what does this look like in the wild it's interesting to talk about these high profile cases but let's just very quickly touch on three of them um code Cove which is a big incident that happened in 2021 they left a secret in a Docker image a bad actor found it injected their own code into the docker image that a Docker image that got distributed that line of code that got injected stole of environment variables with those Secrets there and shipped them off to an attacker affecting over 200 I'm sorry 20 000 clients that's a lot of people affected by one secret leak twitch miscarried one server and one instance that led a bad actor in that was able then from that attack vector get to over 6 000 repositories along the way they discovered over 6 000 problems 6 600 secrets that let them get into all manner of devices and systems so really an honing of twitch based on them not managing Secrets correctly Uber uh this happened just recently it was a single attacker fished super admin privileges which was bad enough but once they got into the system using those fished credentials they found Powershell scripts that contained more Secrets more credentials to get them into more systems they even announced this in the internal slack that hey we have done this and we don't think it's all malicious we think that there are Bad actors acting badly out there and with malicious intent but how the secret you're ending up in the code is really a combination of a lot of factors but it all really boils down to humans or humans we make mistakes we will sometimes try to test a credential and then accidentally uh leave that thing we were trying to test in the code and make a commit with it and then it gets pushed we sometimes make public things or private things public that's very easy to do with multiple remotes I know I've done that a number of times pushed the wrong file to the wrong wrong place we don't really think about our logs is a security issue but if someone can access your logs and those logs are returning plain text secrets well that's just as bad as leaving them in your code base in the first place um actually in committing ENB files or pen files something we all do but the bigger issue is if you just copy over a folder then you copy all of the files in there and it ignores get ignore so if you've moved a folder into a Dropbox that has a repo in it you have moved all of those ignored files with it and again pushing the wrong place we all do that occasionally complexity of git makes this problem even worse as get it keeps complete record all the time of where every single uh but every single file that was committed along every commit is there for all of history so this all adds up to a pretty complex situation we're in and it really calls for a new way of thinking about how to handle our secrets uh we think that that can be summed up with air maturity model for Secrets management so what we've done in this report and we will share this with you as well as the state of secret sprawl here in the comments as we go through today so uh be on the lookout for those a little bit later but we've looked at the main four areas we've kind of broken down the software development life cycle into these four general areas for today's purposes we're really only going to talk about the first two because we can stop Secrets there then they don't get a blast too and that's really what we're focused on here in the first place is not getting those secrets in there and detecting them early so we can stop them at the source we see that organizations fall within a spectrum sort of like this uh level Zero from beginner all the way to level four being expert so we're going to dive straight away into it make the best use of our time on this webinar see we're doing about right on time right um and just start talking about what does this look like at every level so from the secrets management and the secrets detection are both part of this larger equation of secret management maturity model so it's not just about managing it's also about detection and Remediation that's what we're breaking down across these slides at various levels so from senior detection level it's pretty easy to tell if you're at level zero because you don't have a plan there is nothing in place if you ask anyone on the teams what do you do about preventing secrets and how do you detect if you have leaked Secret you get a lot of shrugs you get a lot of I don't know um so it's pretty easy to tell if you have no secret detection in place but secret management that there might be some other Clues there Ryan I haven't let you do almost any talking on this webinar I apologize about that but uh I'll invite you in right now I want to talk to us a little bit about Secrets management at the uninitiated level yeah so uh I think this is where you know a lot of folks are um managing Secrets let's say like using EnV files uh it's painful and a lot of the case in a lot of cases you know teams are managing Secrets just very manually and so they're not really aware that it's a painful problem and they're also not aware that you know in this Modern Age they're a great tools like your guardian Doppler they can really just make this problem go away so I think this is the the the level where there's like the most opportunity and the one thing I'd say is that moving from like this level to the next level um is relatively easy as well um so yeah when we get into my section I'll talk a little bit about how to do that but um yeah and and look the other thing I want to say too like everyone has been here uh I've had secrets you know in repositories you know back in the day I know how to do things better now obviously but um yeah this is a great place to start and a great place to start making things better right on so let's move on to level one then so and that's a great point we're not here to point fingers at anyone and say hey you should feel bad about being where you are but it's good to have a map of knowing where you can go I want to start this one off just talking to the secret management side yeah so this is this is where folks are like all right we know that storing secrets in plain text files is a bad idea so we're going to look into making sure they're always encrypted at rest uh but we're looking at like what are the available options so maybe a Secrets manager uh seems a little bit full-on at the moment but at least teams are starting to talk about let's make sure that we don't have any secrets just lying around and let's start doing some investigations in terms of what secret managers are out there and what might be you know a good fit for our team for your team and different or maybe even your organization as a whole oh yeah so sorry about that um on the secret detection side of this uh well from the developer perspective it looks pretty much identical that we uh as developers don't have a plan we have nothing in place to help us not commit those secrets from a operations perspective from um security operator perspective uh devsec perspective I should say um there is something in place there is something that manually runs from time to time um scans are periodically performed maybe their manual checks maybe they're built into uh part of code reviews for major Milestones but there's something there so when you ask hey what what's the plan for finding them you get something back it's probably inconsistent but they're at least have that conversation somewhere remediation on the other hand which is another big part of the secret detection because it's not useful just to detect something and not act on it so how do you remediate it that is well again very piecemeal uh in these kind of organizations where they know generally what to do but every single incident is treated as a unique event that maybe they've gone through it before and they have a little tribal knowledge but there's no systematic way that they've captured that data and haven't used it in a Progressive Way but that's good that you're having those conversations because that's how you get to level two is to start talking out loud and saying well how do we use our tribal knowledge part of that tribal knowledge is in the heads of the developer so starting really from the remediation and from the devsec team um they are going back and communicating with developers at times for things that are not quite obvious they will have those conversations but it's not a common practice to involve them at every stage at every single time they're trying to remediate something on the scanning side of it we've gone from occasionally we do something or run a manual scan to we put Automation in place and now we are continually scanning at least on every pull request that's a great point to say am I going to merge this toward my production code uh if it is going to run in in my runtime environment I should probably check it there that's a great step if you're doing that as an organization good for you you are well on your way toward maturity from a developer perspective though um there is some kind of scan you can do but just like the level one on the devsec side uh for the source control side um it's done periodically when you're about to make a big commit when you've done a lot of work when you have a major Milestone to hit uh when you think about doing it when you have a checklist item to check off but is it consistent not really it's not been automated yet from the uh secret management side though Ryan um how does this differ from level one yeah so I think you can see here that uh in in level two we've now got secrets in in a Secrets manager and the last point there developer environments are correctly scoped this is when we're starting to think about access control so developers obviously need access to the secrets in their development environment but when it comes to things like uh you know production it's better that that is handled obviously by security and and devsecops folks so we're not just thinking about the Secure Storage and access of Secrets but we're starting to think about just like the broader security uh you know principles as well and as you can see from Source control either the secrets um you know are in in Source control at all or if you're using some sort of like encrypted management you've got workflows to you know say encryptos in your development environment um and then they addict get decrypted at runtime so in any case things are starting to look really good now um because we don't have plain text Secrets uh so yeah if you get to this level you're doing well all right so I want to just keep that momentum roll and talk about people as they're jumping to level three yeah so level three is uh particularly uh important for anyone that needs to meet regulatory requirements so around like Secrets rotation whether that be for database credentials or things like you know AWS IAM credentials um and what's really good about this is that if you can move to a model where you've just got secrets in your secrets manager and you're injecting them at runtime it means that you don't need to have secrets in your source code at all um so this is where things are starting to get more automated as well so yeah this is this is for teams uh when you need to scale Secrets management and you want to do that consistently level three in advance is where you're going to see some huge benefits in terms of just like automating things and saving time automation is the name of the game because that is really what we should be doing in devops in general that's how you can tell maturity and devops but especially in devsecops uh automation from the developer end means that those checks that were running periodically we've hooked those into something like git hooks to run every single time we make a commit and it's every time not just when we think about it not taking out taking away the human error Factor uh at this point we start blurring those lines of in a good way because we're shifting left uh the lines between the devsec team and the developer because Source control and developer environments here start overlapping quite a bit that there is mandatory remediate uh mandatory involvement by developers throughout the remediation process we are systematically getting that travel knowledge out of people's heads and we're putting in place processes and systems to uh make sure that if we do have an incident it's not an isolated incident anymore it is travel knowledge we know how to not travel knowledge but it's systematic knowledge we know how to fix that and we can Autumn start thinking about automation of that remediation we're not maybe quite there yet but we can start getting to that level of sophistication at this level we're also continually scanning not just at Major uh specific points like handoffs of pull requests but at every juncture along the software development life cycle we are running some kind of scanning to look at not just the code that heads toward production but all code living anywhere on any system would be a test environment Dev environment or production so automation really is the name of the game on this and the people that we're seeing do it absolutely the best what we call our experts that's where they really shine is that they have taken remediation not just from uh a point of we collected the knowledge and now we know how to systematically repeat this but they've gone so far as to automate all the parts that are automatable of course human being probably is going to be involved at some point along the way but if Keys need rotated it's no longer like how do we do that or these let's open up a terminal and follow along the dotted lines it's automate all of the processes and then starting to cross over with what you're talking about Ryan with the Sears management there but before we talk about remediation and uh automation steps together uh from a developer's perspective our experts aren't just automating the development uh testing for Secrets detection they're doing it consistently across the board it's part of their onboarding process it's just part of the way that repos are set up and the way the tooling is handled across the organization and this is very true of all of devops but if all the developers using the same tools in the same way consistently you're going to get a very consistent process and everyone's going to be happy so like I say this starts really crossing over with Secrets management I think at this point Ryan but that's I think a good thing because we've shifted this concern left for all things so Developers are starting to like really meld here with the security organization yeah totally I think um what's really awesome when you get to this point is that managing secrets you know using a central source of Truth is seems as obvious as you know having GitHub or some co-host where everyone is like pushing code updates um we've got things like Dynamic Secrets the best secret is the one that you never have to create so when for instance secrets are dynamically allocated during CI CD and they expire in five minutes they're the sort of like Advanced workflows that Folks at this level um are starting to get to and then uh you know Dwayne that top point about uh access controls and logging uh imagine and you know director of engineering say hey how are we managing secrets for all of our applications having a central source of Truth means that you can see like a Secret's audit log for every application who change Secrets what where secrets are being synced so in at this level not only are you doing things the right way but you actually have like a data driven approach to making sure that secrets are managed like in the correct way for all of your applications so uh yeah this is absolutely where you want to get to and trust me it's not necessarily as hard as you think well said but again we don't want to put not to repeat ourselves too much but we don't want to point at anyone and say hey you should feel bad about where you are on this this map but we do want to think about it as a map that identify where you're at now and know where you can go along your journey also know that this isn't a Destination type thing while we're saying what we see experts do we also know that security doesn't have a single Magic Bullet it has best practices and there's awesome tools you can use to get you there but it really is about the combination of people using the right tools in the right way setting the right processes in place following those and making that virtuous cycle of of security so I said it earlier and I'll say it again secret space management and secretive detection are really two parts of the larger equation of being a mature Organization for Secrets management Doppler Is Awesome on the secret management side get Guardian awesome on the series section side so with the rest of this webinar will look like is we're going to go through very quickly uh high-level overview of our uh different platforms and give a quick demo of each at that point um we'll open it up for Q a at the end and if you have questions throughout feel free to throw them over into the chat or in the the questions you're on crowdcast and we will get to them as quick as we can so with that Ryan I'm going to push you to the top of the screen make you small like I said I would earlier uh are your image smaller I should say here same size um and I'm going to talk just again very briefly at a high level about how we are helping people build effective detection and Remediation programs with get Guardian so to have a successful end-to-end program around secret detection remediation it's not just about monitoring it's not just about the remediation we see it in these five pieces it's about it is about monitoring in part monitoring everywhere throughout the software development life cycle uh monitoring not just when the code is originally pushed not just when it gets to production but every step along the way and detecting for the right kind of Secrets there are a lot of types of Secrets out there are you making sure that you are accounting for all of the common ones um getting the right alerts in place the detection is awesome but if no one gets an alert did that detection actually happen well that's what our platform is awesome at is giving the alerts to the right people in a timely manner remediation this is something we are helping teams understand and systematize and move up that maturity model instead of just hey we've got an incident we've got to figure out what to do about it we'll help you build playbooks we have playbooks ready to go that will point you in the right direction on how to remediate those incidents and from an operations perspective you really do need to know what is going on across your organization how have these incidents impacted you historically and that's what our analytics can help you do and start identifying the problem areas and areas for improvement so to break that down a little bit further you need to monitor across all of your systems unify that monitoring across everywhere you're storing code if you have your common uh your average organization isn't just using GitHub they're probably using other tools as well like bitbucket or Azure and not just the Version Control there but also things like Azure devops and um uh various container systems throughout along the way that's why it's easy to integrate git Guardian at every stage of the process no matter where you are with that code are you pushing it to the server in the first place is that even making that commit in the first place we can help people we'll show that in the demo in a second help you stop those commits from getting even committed uh those changes from being committed in those Secrets making it to the the code in the first place um when you push it into your CI environment well that's another great place to check and make sure that hey should we even receive this change or should we stop it all the way along the way all the way through and including deployment so that's what we mean by monitoring detection we are looking for over 350 different kinds of Secrets and we give you the ability to add your own patterns so if there's a we've set up your own API and you have your own way of securing that we can help you with that as well remediation again the best teams out there are blurring that line of well what is who's really on the dedicated SEC team who's really on the dev team because they're all working together to make sure security happens as one big just Total Team that's what our playbooks and system really strive to help people do to involve the developers throughout the remediation process to get their feedback early quickly and making sure that they are able to participate in not just resolving the incident but building that knowledge base out with the whole team so with that I'm gonna actually pre-recorded this because there's a lot of bells and whistles going on behind the scenes for one of these webinars and so I'm just going to play real quick and I'll be back to talk to you here in a second hello everyone welcome to this quick walkthrough of the cake Guardian internal monitoring dashboard we will start here from the perimeter section uh here we can see the list of repositories that we are currently monitoring and scanning for Secrets uh the first thing you would do is integrate the VCS of your choice once that's done you would scan the full history of these repositories to understand which are the secrets that have already been committed and we also monitor in real time to alert to if any secrets are making it to these repos new commits um if I click on this repository here this will take me to the incidents that have already been found so click here takes me to the incidents section and you can see that in this repository we found a lot of different AWS keys I'll highlight the fact that I said different keys because if I click on this first one here you'll see that we have found this key for time so this unique credential as in fact four times in different locations these four are called occurrences one incident that involves again one unique key so you can see here that we can cycle through the occurrences so this really makes the information a lot more a lot more digestible for the for the team and we can see here that for each we'll show you the the patch the viewable context show you the severity and as well as in some for some Secrets like AWS Keys we can automatically detect it's still valid or not super helpful for for the security team we can also tell you if it's still present in your history we have some useful tags here and a very important feature that we have is the ability to vary information from the developers who are involved in this uh this who are using the secret so you can see here that I can create a link that will allow the developer to share feedback show you what that's what this looks like if a developer clicks on this link uh they'll be able to see much of this information and they'll be able to submit uh their feedback about this because they know best uh what this secret gives access to who else uses it and this information is really key uh in the in the remediation process if I go back here you can see the feedback section where this information will appear and then the security team can take action with all the information they need finally we also provide some uh radiation guidelines here just for a good reference next we can take a look at the integration projection so here you can see that we don't only support PCS Integrations but also we can scan in a few other locations uh as also important is alerting we integrate with a lot of different services to make sure the alerting gets to the right place you also have apis that let you pull information from the dashboard and perform all the actions that you need to do the API so at this point I'll hand it over to Dwayne who will talk more about GG shield and pre-commit hooks but we think what else that we can do with speed Guardian thanks Ramsey so from a development perspective ideally you would want a tool that will help you not hard code your secrets or at least not commit those hard-coded secrets in the first place that's exactly what we've built with GP Shield this is an open source command line application that will look for over 350 types of Secrets anywhere you want to you about the software development lifecycle once you've installed it with your favorite package manager you would authenticate against the big Guardian platform using a personal authentication token uh here we've sent just to scan but you can actually widen that scope if you want to build your own dashboards or integrate our API into your other workflows but for today we're going to focus just on the scanning because that is the main use of GD field to scan for secrets as across the entire repository inside of specific paths inside of your continuous and grease environment uh or places like Docker files or Pi Pi packages or archives of your entire repo also included recently uh infrastructure as code scanning which will scan for the 70 plus most common vulnerabilities and infrastructure code setups as well as for hard-coded Secrets there let's go ahead and dive in what this all looks like from the command line here I am inside of vs code this is my personal favorite setup but this will work anywhere you have access to a terminal I'm working inside of a sample Secrets Library this repository is available open source on the getguardian GitHub page and it's full of our coded secret examples to let you test your favorite tools such as TG shield now I've already installed GG Shield locally so we won't be walking through that setup but performance there now you notice in this bucket S3 python file I have something that kind of looks like a credential so I could as a developer say GT Shield and all the secrets scan and I could look through the entire repo instead I want to give it a specific path that path is going to be to that specific file which is bucket S3 pi sure enough this found a secret now as a developer can make some decisions uh so since this is not a valid aw key it's actually told me that as well and I know this is a test I could ignore it using DG shielding ignore moving forward but I'm not going to do that right now instead I wanted to make sure that I automatically look for these secrets every time I go to make a commit so let's take a quick change here that's secrets and I'll do a git add it and if I'd be able to get status you see that I have the bucket S3 python file uh ready to be committed to commit right the second it is back we'll go ahead and commit because I don't have a GitHub set up to automatically check for anything this is another advantage of GG field to set up a big hook I can simply do you Shield install tell it what mode I wanted to install in this case locally so I'll install my localhost folder and then I'm going to tell it what type Guardian has caught hey I have an AWS key client ID and client Secret in here and it has stopped me from making that commit so if I want to get status again that file has not been committed these secrets have not made their way into my repository and all is good that is the power of GT Shield that I can manually look for Secrets throughout my code as well as automate the process to stop me from making those commits in the first place and that was a quick demo of GG shield and the get Guardian platform so I know we are running tight on time um so hopefully everybody has cleared the whole hour for this I know we said 45 minutes but looks like we're gonna go a little bit over that today so hopefully you can all stick around for our exciting conclusion but Ryan I've already cut into your time a little too much here I think but um I'll turn it over to you all righty okay Dwayne can you see the uh the slides there yep I see him just fine awesome all right guys so yeah I'll keep this uh short and sweet so I'm Ryan from Doppler and we are a secret Ops platform now doppler's mission is that we want to secure the world's most valuable infrastructure with a platform that developers love and the last bit the platform that developers love is really the most important part because developers aren't going to use the security tool unless it's one that they enjoy using so you're probably wondering well what is secret Ops uh in preparing for this webinar I try to think of you know a nice little neat single sentence but uh it's really hard to kind of you know come up with that so being an Aussie I thought I'd come up with a uh a very straightforward version which is managing Secrets doesn't have to suck like the way that we've been doing it it's very manual it's very painful we don't have to do it that way anymore and what you can see on the right here is a screenshot of doppler's UI so just to point a few things out you organize your secrets via you know projects which map to applications that makes sense every project has different environments that makes sense and then you get this like really nice full-featured UI so painful the way it was painful manual uh you know costly mistakes doesn't have to be like that anymore all right so what do we know about sequence management well we're managing over 1.2 million secrets and our customers are fetching about 6.3 billion Secrets per month so it's not just us that's excited about secret Ops um it's really awesome when I work with a customer on on their Solutions and I see them going from manual and painful ways of managing secrets to just automating all of that pain away so essentially the sense of urgency here is that secrets are growing Dwayne established that in some of his stats but if organizations aren't making things more efficient in the way they manage Secrets then it means that they're going to spend more and more time so the way that you get this under control that you tame secret sprawl is that you have to automate because if you don't automate for every secret yard you're spending more time so really if we like compare devops uh what devops gave us and we're going to you know draw a parallel that with that between secret Ops essentially before devops everything was manual humans were making mistakes because while we're very clever we're not good at doing things you know like repetitious things and let's face it that's why comput computers were invented anyway so after devops infrastructure infrastructure automation solves so many problems humans made less mistakes and life was better so really the key is automating as much as possible because not only does that make things more efficient it also means that you know humans are making less errors all right so before secret Ops you've got Secrets sprawled everywhere and every team is sort of managing things for themselves so this is what a lot of customers have when we when we see them and they've got secrets in a bunch of different places in b files different clouds and to a certain extent you can't really do much about that because every every you know platform has their own storage for Secrets or environment variables so it's not necessarily a case of making everyone integrate with a single Secrets manager but the most important thing is that you centralize where you're managing them then you have Integrations that sync them wherever they need to go because if developers get to use the built-in Secrets management features of their platform it means that you're reducing developer friction but you're still keeping Doppler or a secret Ops platform as that Central source of Truth so that is the way that you make life so much easier um and you know even though Doppler is a security tool a way to think about it really is a productivity and cost saving tool as well because the more you can get rid of manual processes faster everything goes and not just that but you know developers want to spend time writing code they don't want to spend time managing Secrets no one does so that's why with secret Ops you get essentially a bunch of playbooks so you know how to manage Secrets really effectively and it just means that you just take all of the things about devops and automation that has changed the game and you just apply that to how you manage secrets so really the the way to think about this is that anytime you're managing something like a secret and you're like man this is this seems manual this is painful is there a better way the answer is yes there is a better way now I've got a demo here and I'm going to blast through it because I think we've got about three minutes and you've got a link to this this uh this this uh presentation anyway so what I want to really quickly show here is that when you start using Doppler it doesn't take you days to get everything working um this is a five and a half minute demo and it starts with creating a project then you're going to import your secrets into uh you know from your development environment and let's say you're using dot EnV files so with Doppler you just put them straight in we can import your secrets and then once those are saved now you're ready to start you know getting those Secrets out of Doppler so every single application that you have all of your secrets uh going to Doppler the next step when you're setting up your development environment is that you need to install our CLI and the CLI is how we're going to fetch secrets from Doppler and then inject them into our application which you're going to see in a minute the first step is that you need to authorize your machine and that is so in your development environment the double CLI is going to be able to access any project and any config that you can in the dashboard so here what we can see is that if we started our application using you know if we're using a EnV file well with Doppler you do not need another EnV file for the rest of your life because we can delete that and what we're going to do instead of running npm start now we're actually going to use Doppler to run that command so here you can see we're selecting the project and the config now if we try and run our application what this is doing is grabbing the latest the latest version of the secrets and injecting them as environment variables and then we can enjoy some random Mandalorian gifs this sample app is available on our GitHub by the way so really I think I want to leave some time for questions that just gives you a taste of how easy life can be when you're using Doppler so just think what is secret Ops it means that Secrets management doesn't have to suck any more all right uh let me go to this okay the other thing the secret Ops gives you is just consistency when someone says Hey how do we manage Secrets the answer is secret Ops and then um yeah once the answer is secret Ops then you've got a way to have it like a consistent conversation with the rest of your team all right so that's about all we've got time for today but uh hope that's it's made you a little bit curious about secret Ops and managing uh secrets in a much more efficient way that's less painful less manual so you can enjoy doing the parts of your job uh that you like thanks very much Ryan uh sorry about the if those of you watching the weird change around the screen at the very end there um but hopefully wasn't too distracting and I'm sorry we didn't get more time to see um see Doppler in action there Ryan uh I was really looking forward to that I think we could have um definitely something I think everybody on the call will want to see follow up with um so having said that let me share my screen again thanks Andrew appreciate that vote of confidence there um so yeah we do want to leave time for a few uh questions we're able to hang out for a little bit longer um so if you have questions please shoot them over and do the um in the chat box and we will get to them um but wrapping things up I mentioned this earlier but getting to a mature organization isn't just about technology it's not just about the tools you put in place it really comes down to people using processes in a reliable way and tools can help you do that in an automated fashion so when the system's working very well it's people using tools within a well-established known processes to reach their goals I think you can say that generally about devops as well but this is exceptionally true when we're talking about Secrets management in the bigger picture of things secret management isn't just about hiding your secrets it's also about uh detecting when those Secrets do get leaked and remediating them so we're looking at two sides of the same equation here um are two parts of the same equation to get to that state part of it being Doppler and part of it being get Guardian so just to wrap things up you can learn more about get guardian over at our website and we will be happy to share these slides with you if you're attending watching as part of the follow-up foreign ER has made a some of the resources available as well uh but Ryan I am curious if you if I wanted to start up with Doppler right now what would be the best way for me to go go about that yeah so it's it's really easy essentially you can sign up for free um you can add four others uh of your teammates in so you can start collaborating and really it's in that demo that is essentially how you get started you sign up for Doppler you create a project so you can have the secrets for your application you've installed the CLI locally authenticate it and then instead of using dot EnV files you just use dopplerun to inject the secrets into your application then when it comes to deploying your application and getting secrets into production that is when you use our Integrations so the Integrations are how you sync from Doppler to kubernetes AWS for sale cloudflare wherever it needs to be so then that way you never have to manually manage the secrets in any of those platforms again because you've got doppler's beautiful interface to do that for you so as you saw in the demo it doesn't take you know days uh it can literally get going in five minutes and because doppler's UI is just so nice and easy to use whether you're a Dev a security person or a devops engineer it just makes sense and you can can you know get up and running really quickly excellent so with that I'm looking for questions out there but I'm not seeing any questions pop up so if you have questions please feel free to write them in there and we will get back to you also feel free to reach out to us um uh reply to the email that you're registered with and those questions will get logged and um we will get back to you offline as well and yeah feel free to um hit us up on our social media as well I know some people had registered through Linkedin so feel free to comment on the event over there even though we didn't get to broadcast it we will be reaching out for everyone that uh we have your email um so we're reaching out with a follow-up to the recording and to the additional materials so thank you very very much for tuning in and we look forward to seeing you on the next one so stay safe out there thanks guys see you later