5 common mistakes in secrets management (and how to avoid them)

You wouldn't write your bank password on a sticky note and post it on Twitter. Yet, developers do the equivalent every day with API keys and database credentials. Let's explore why this happens and how to stop these five common secrets management blunders.

1. Hardcoding secrets

According to GitGuardian, 47% of organizations identified hard-coded secrets as key risk points in their software supply chain. This widespread practice includes embedding credentials directly in code, committing .env files to repositories, or storing secrets in plain text files on servers.

To properly handle secrets, use environment variables and secret management services instead of hardcoding. For local development, use .env files but ensure they're listed in .gitignore. Here's a proper setup:

1.env
2.env.*
3!.env.example

1DATABASE_URL=postgresql://user:password@localhost:5432/mydb
2API_KEY=your_api_key_here

This works great for local development environments with a single developer. Sharing these files with other developers or having multiple environments (e.g. development, testing, production) is becoming more complex. You can utilize cloud-native secrets management services like AWS Secrets Manager or Azure Key Vault, but these services are limited to production environments and you are limited to the services they support (also known as vendor lock-in).

Enkryptify offers a solution for all environments, including local development, without vendor lock-in. With our centralized platform, you can manage secrets for all your environments and services from a single place. No need for .env files, .gitignore, or other workarounds. For local development, you can use the Enkryptify CLI to inject secrets into your application, without writing them to disk. Enkryptify also integrates with your CI/CD pipeline to automatically inject secrets into your production environment, securely and without exposing your secrets to the world. To learn more, visit enkryptify.com.

2. Sharing credentials via insecure channels

The statistics are concerning: 59% of IT/DevOps workers share secrets via email or other chat applications, while 48% of companies use shared documents or spreadsheets for secrets management. These practices expose sensitive information to unnecessary risks. There are so many ways to accidentally expose your secrets to the wrong people using these methods.

Instead, implement a secure secrets distribution system:

1. Use a dedicated secrets management platform that provides secure sharing capabilities with audit trails.
2. Enable end-to-end encryption for any secret sharing.
3. Create a clear policy prohibiting the sharing of secrets through communication channels like email, chat, or documents.

When temporary sharing is necessary, use Enkryptify Share. It allows you to share secrets with a single click, with a time and view limit, fully end-to-end encrypted.

3. Reusing secrets across environments

Despite the well-known risks of secret reuse, many organizations fall into this dangerous pattern. Studies show that 54% of team leads and managers use identical secrets across production, testing, and staging environments. Even more concerning, 65% reuse secrets between different projects. This widespread practice not only violates security best practices but also significantly increases the potential impact of any breach.

Here's how to properly manage secrets across environments:

1. Create unique secrets for each environment (development, staging, production). Using the same database credentials or API keys across environments means a breach in development could compromise your production system.
2. Use separate credentials for each application. When multiple applications share the same secrets, it becomes impossible to track which application is responsible for specific actions or security issues.
3. Implement environment-specific security controls. Production environments typically need stricter security measures than development ones, such as requiring multi-factor authentication or stricter access policies.

With Enkryptify, multiple environment support for secrets is built-in. By default, projects start with 3 environments: development, staging and production. You can add or remove environments as you see fit. We also thought about local development environments, sometimes a local environment is different for each developer. With Enkryptify you can create a clone of any environment and update the secrets for the local environment. This environment is only visible for the developer and not accessible to others, even not admins.

4. Inadequate access control

Access control failures remain the top security risk in the OWASP Top 10. Proper access management is crucial for secrets security. Organizations often grant admin access to everyone, which is a huge security risk. Even if you trust your team, you should not grant admin access to everyone. When one of your team members is compromised, all your secrets are compromised.

Implement these essential controls:

1. Apply the Principle of Least Privilege (PoLP). Only grant just enough access to employees to do their job.
2. Use role-based access control (RBAC) to manage permissions granularly.
3. Set up automated offboarding workflows that immediately revoke access when someone leaves the organization.

With Enkryptify you can manage access on a workspace, team and project level, ensuring that no one has access to more than they need. Our predefined roles are designed to give you the right balance between security and usability. To learn more about our access control model, visit our documentation.

For our enterprise customers, we will soon offer Single Sign-On (SSO) and SCIM integrations, allowing you to manage access from your existing identity provider. For granular access control, we are working on to create custom roles and permissions for your team.

5. Neglecting human error

With GitGuardian reporting that more than 1 in 10 commit authors have leaked a secret, human error remains a significant risk factor. Organizations must acknowledge this reality and implement appropriate safeguards.

Focus on the following to mitigate human error:

1. Train your team on how to handle secrets securely.
2. Use automated secret scanning tools in your CI/CD pipeline to catch accidental exposures.
3. Create clear incident response procedures for when secrets are exposed.
4. Establishing a blame-free reporting culture that encourages prompt disclosure of accidents.

By training your team to use Enkryptify, you can reduce the risk of human error significantly.

The path forward

Implementing these improvements will significantly enhance your organization's security posture. Proper secrets management reduces the risk of breaches, simplifies compliance, and improves operational efficiency. The initial investment in proper tools and processes pays off through reduced incident response costs and improved security posture.

Remember that secrets management is not a one-time effort but a continuous process requiring regular review and updates. Stay vigilant, keep your team trained, and regularly audit your practices to maintain strong security.

If you did any of these mistakes, don't worry. You can start using Enkryptify to improve your secrets management today. To get started, visit enkryptify.com.