2024-08-07 –, Tuscany
When was the last time you updated all your API keys and other credentials for your application and cloud environments? How long did it take you? Would you say it was "easy"?
What if I were to tell you that there exist teams that would tell you they rarely spend any time rotating secrets because they automated the entire process and no credentials are more than a day old. This is not SciFi or fantasy, but good old-fashioned open source and some scripting.
DevOps means we have to move faster than ever and manually dealing with credentials is not just slowing us down, it is opening us up for a world of hurt if we don't react to leaks fast enough.
This session is based on best practices in manually dealing with secrets leaks and some fairly recent advancements in both secrets management and secrets detection and remediation. While you might not be ready to implement this today, you will walk away from this session with a sense of how to better approach secrets security for the future.
By now, you are very likely aware of the problem of secrets sprawl. Millions of hardcoded plaintext credentials keep showing up online in easy-to-scan places year after year. Worse yet, adversaries have gotten very good at exfiltrating and validating these secrets. Rotating the key or password after an attack is far too late.
What if every credential that an adversary could find expired before they could exploit it? What if keys, just a few hours old, no longer worked?
Let's embrace a future of proper secrets management and auto-rotating secrets. It might seem overwhelming at first to consider accomplishing this, especially if you have never tackled secrets management before, but for many systems, this is easier to achieve than you might realize.
In this session, you will
- Get an update on the state of secrets sprawl
- Diagram auto-rotation architectures
- Plan a secrets audit and code refactor strategy
- Start the email that will help you convince the team
Senior Security Developer Advocate at GitGuardian
Dwayne has been working as a Developer Advocate since 2016 and has been involved in tech communities since 2005. He loves sharing his knowledge, and he has done so by giving talks at over a hundred events worldwide. He has been fortunate enough to speak at institutions like MIT and Stanford and far-off places like Paris and Iceland. Dwayne currently lives in Chicago. Outside of tech, he loves karaoke, live music, and performing improv. On the internet, most places, as @mcdwayne.