A familiar problem

In my career, I’ve seen:

  • a 200 people scale-up scramble to rotate all its secrets because they were hardcoded in their big monorepo
  • an industrial company assemble a taskforce of 3 engineers to find all hardcoded secrets in their 3 Source Code Management systems, and establish an action plan to fix the situation.
  • a development shop scurry 2 senior engineers to encrypt secrets stored on Github with Mozilla Sops & rework the affected CI pipelines when a client required it

I’ve also witnessed the first company invest time & effort into installing HashiCorp Vault and making it a central part of its infrastructure following this incident.

You can say I’m acutely aware of how hard it is to properly manage system secrets at scale. So when the technical writing team at GitGuardian told me about their work on the Secrets Management Maturity Model, I was very excited to contribute.

Affecting everyone

As security leaders, our job is to help fellow engineers understand the risks affecting their systems, and guide them in building more robust solutions.

Fortunately, the risk inherent to hardcoded secret leaks is intuitive to grasp. But the roadmap to a better future is not. If the organisation does not put in the effort, remediating hardcoded secret leaks can be a sisyphean task, and the industrial org’s taskforce can attest to that. Hunting down hardcoded secrets is a tough game of whack-a-mole if bad habits have deeply permeated the organisation’s systems & workflows.

Solving it

GitGuardian’s Secrets Management Maturity Model is a self-diagnostics tool helping organisations understand their risk posture & compare it to current industry best practices. Much like the SLSA framework, moving from the lowest level to the highest one requires a tremendous effort. But achieving a great improvement in security posture (eg. by reaching level 2) is possible for a much lower price.

Secrets management has to be a top priority on any security leader’s radar.

The framework is freely available to download here :point_right:

Read it. Use it. And tell us what you think.