  Hardcoded  /  embedded  credentials: privileged  passwords  and  other  secrets  are  needed  to
               facilitate authentication for app-to-app (A2A) and application-to-database (A2D) communications and
               access.  Often,  applications  and  IoT  devices  are  shipped  and  deployed  with  hardcoded,  default
               credentials, which are easy to crack by hackers using scanning tools and applying simple guessing
               or dictionary-style attacks. DevOps tools frequently have secrets hardcoded in scripts or files, which
               jeopardizes security for the entire automation process.
              Privileged  credentials  and  the  Cloud: Cloud  and  virtualization  administrator  consoles  (as  with
               AWS, Office 365, etc.) provide broad superuser privileges that enable users to rapidly spin up and
               spin down virtual machines and applications at massive scale. Each of these VM instances comes
               with its own set of privileges and secrets that need to be managed.
              DevOps  tools:  While  secrets  need  to  be  managed  across  the  entire  IT  ecosystem,  DevOps
               environments are where the challenges of managing secrets seem to be particularly amplified at the
               moment. DevOps teams typically leverage dozens of orchestration, configuration management, and
               other  tools  and  technologies  (Chef,  Puppet,  Ansible,  Salt,  Docker  containers,  etc.)  relying  on
               automation and other scripts that require secrets to work.
              Third-party vendor accounts / remote access solutions: How do you ensure that the authorization
               provided via remote access or to a third-party is appropriately used? How do you ensure that the
               third-party organization is adequately managing secrets?
              Manual secrets management processes: Leaving password security in the hands of humans is a
               recipe  for  mismanagement.  Poor  secrets  hygiene,  such  as  lack  of  password  rotation,  default
               passwords, embedded secrets, password sharing, and using easy-to-remember passwords, mean
               secrets are not likely to remain secret, opening up the opportunity for breaches. Generally, more
               manual  secrets  management  processes  equate  to  a  higher  likelihood  for  security  gaps  and
               malpractices.


            Best Practices & Solutions for Secrets Management

            While  holistic  and  broad  secrets  management  coverage  is  best,  regardless  of  your  solution(s)  for
            managing secrets, here are 7 best practices you should focus on addressing:

              Discover  /  identify  all  types  of  passwords,  keys  and  other  secrets  across  your  entire  IT
               environment and bring them under centralized management. Continuously discover and onboard new
               secrets as they are created.
              Eliminate hardcoded / embedded secrets in DevOps tool configurations, build scripts, code files,
               test  builds,  production  builds,  applications,  and  more.  Bring  hardcoded  credentials  under
               management, such as by using API calls, and enforce password security best practices. Eliminating
               hardcoded and default passwords effectively removes dangerous backdoors to your environment.
              Enforce  password  security  best  practices,  including  password  length,  complexity,  uniqueness
               expiration, rotation, and more across all types of passwords. Secrets, if possible, should never be
               shared. If a secret is shared, it should be immediately changed. Secrets to more sensitive tools and
               systems should have more rigorous security parameters, such as one-time passwords, and rotation
               after each use.








                                 19