Secrets management is core to DevSecOps—how credentials are managed can make all the difference in preventing an application from being compromised in the first place. The challenge is making it as simple as possible for developers to access where most of those credentials are stored in the enterprise.
HashiCorp this week released an update to the open source Vault secrets management software that adds support for both the Microsoft Azure Active Directory Auth Method and the identity and access management (IAM) engine used in Google Cloud Platform (GCP). Those new capabilities complement existing support for LDAP, Amazon Web Services IAM, Kubernetes, GitHub, Okta or others.
In addition, version 0.10 of Vault adds support for a graphical user interface (GUI). Previously, the GUI was available only in the enterprise version of Vault that HashiCorp supports. But Andy Manoske, a product manager for HashiCorp, said organizations are making it clear they want developers and cybersecurity professionals to make use of the same core secrets management framework. Because most cybersecurity professionals don’t know how to program it became necessary to add a GUI to the core Vault open source software, Manoske said.
In general, Manoske says developers and cybersecurity professionals are starting to work more closely together. Microsoft Active Directory is the most widely used platform for storing credentials. As enterprise IT organizations start to move more Windows applications to the cloud, enabling developers to programmatically access the credential data is becoming a bigger requirement, he said.
Additional capabilities in version 0.10 of Vault include the ability to automate the rotation of root credentials at specified intervals and support for versioning. That latter feature is critical for both compliance and disaster recovery purposes, as well as enforcing temporary changes to secrets keys during the investigation of a potential cybersecurity breach, Manoske said.
From a DevSecOps perspective, Manoske said the biggest challenge remains the reliance on manual efforts to manage secrets within the applications rather than storing them externally in a secrets management platform. Cybercriminals increasingly are making use of automation tools to scan applications for vulnerabilities that enable them to compromise credentials. Vault provides a means for managing credentials that encrypts credentials that can be applied across thousands of applications at scale. It’s hard to see how organizations can address application security without finding some way to automate secrets management, he said.
Progress in DevSecOps so far has been slow, but steady. Most organizations won’t be able to address DevSecOps effectively until they master DevOps fundamentals. Once that occurs, organizations need to establish a workflow between developers who want to address every function with application programming interfaces (APIs) and cybersecurity professionals that define corporate policies.
Embracing DevSecOps is, of course, as much about the processes and culture as it is about new technologies. The real challenge is finding a way for developers and cybersecurity professionals to collaborate without seriously compromising the rate at which applications are being developed.