Essentials of Secrets and Credentials Management with Hung Ngo
Dev Academy Podcast - A podcast by Bartosz Pietrucha
Categorie:
Web Security Dev Academy 👉 http://links.dev-academy.com/LwyH Subscribe & Get Free Tips & Tricks for Secure Coding ✅ Summary In this episode, Bartosz and Hung Ngo discuss secrets management in web software development. They highlight the importance of securely managing digital authentication credentials and the risks associated with hard-coding secrets. They explore best practices such as using environmental variables, dedicated secrets management tools like HashiCorp Vault, and rotating secrets regularly. They also discuss the challenges of sharing secrets with new team members and the benefits of using a vault to securely store and access secrets. Improper secret management can lead to major issues, as seen in the Uber breach in 2022. Attackers used social engineering and MFA flooding to gain access to the system and found hard-coded credentials for a Privilege Access Management System. This allowed them to access cloud accounts and other sensitive information. Proper secrets management is crucial in different environments, such as development, testing, and production. Startups and small teams with limited resources can still implement secure practices, and there are tools available for free or at a lower cost. Future trends include automation, education, and implementing the least privileged principle. Chapters 00:00 The Uber Breach and Social Engineering 07:25 The Importance of Secrets Management in Web Applications 09:45 The Problem of Hard-Coding Secrets 21:51 Managing Access and Rotating Secrets with a Vault 26:26 Securely Sharing Secrets with New Team Members 29:16 Recommended Tools for Secrets Management 30:42 The Impact of Improper Secret Management 33:02 The Multi-Layered Problem of Secrets Management 37:24 Secrets Management for Startups and Small Teams 41:05 Creating a Roadmap for Secrets Management 44:20 Future Trends in Secrets Management #SecureCoding #WebDev #WebSecurity #DevSecOps