All your secrets are belong to us
Presented by: Callum Whyte
Admit it: we've all checked in an API key or password to a repo at some point... Oops... No one wants their secrets to accidentally leak, so this session is your essential refresher on secret management (and mismanagement!) for your applications and beyond!
Let's explore the range of methods and benefits of securely handling secrets for local development: from features baked into your IDE (Visual Studio, Rider), to secret management services (Azure KeyVault, AWS / GCP Secret Manager), and even loading them from your password manager of choice (i.e. 1Password). We'll progress to look at accessing secrets as part of a CI/CD pipeline, or loading them into infrastructure at runtime, to eliminate hard-coded secrets from every aspect of our projects.
What about when things inevitably go slightly wrong...?
We will follow the stories of a few real world breaches: what went wrong, how we responded, the lessons we learnt, and how that feeds back into our processes.
I will discuss the processes we have implemented with our clients to manage secrets on a large scale – including following a least trust approach, methods for revoking and cycling credentials, and appropriately mapping our dependencies so we can measure the impact of a change.
Finally, we will look at the ways automation can help, including configuring automatic secret detection tools (GitHub and Azure DevOps) and CodeQL checks in our pipelines.