Secrets of Secrets

Secrets of Secrets

Secrets Management is important. Now, more than ever. Yet, I see very little attention being paid to it by Developers, DevOps teams and surprisingly, even security teams. Secrets are not only critical in protecting access to third-party APIs and components like Databases and so on, but are equally important when protecting sensitive information stored, processed and managed by your application environment.

  • Today, the average application is very chatty. You’re usually dealing with a plethora of secrets including API Keys, Encryption Keys, Passwords and Tokens. And this is only in production. As you proceed downstream, you’d see a sprawl of secrets in:
    – CI/CD environments– Git Repositories– Dev/Staging and Test Environments– Developer Workstations and so on.
  • With the rise of distributed systems, micro-services, serverless and so on, Ill not be surprised if Secrets (and the need for its management) has gone up exponentially
  • Cloud-Native Deployments and Kubernetes compounded with the things I highlight above have necessitated a better approach to managing secrets comprehensively across multiple regions, clusters and persistent and ephemeral resources
  • In addition, with CI/CD environments there’s also a need to stand-up ephemeral environments (with ephemeral secrets)

Clearly the above is a challenge. I have seen folks within the industry struggle with not only understanding Secrets Management and its nuances, but woefully unaware of the tools and techniques to get them to work well and at scale.

This is one of the reasons that led us to build our new program

Secrets of Secrets: Managing Secrets and Sensitive Information in Cloud-Native Environments

And we’re debuting this program in BlackHat Asia 2020!

We believe that there’s a dire need for people to understand an offensive and defensive perspective of Secrets and Secrets Management for modern-day on-perm environments, cloud, Kubernetes and Build Environments.

This training is a one-of-a-kind program where we are doing a deep-dive hands-on class on:

  • Attacking Secrets from Cloud-Native Environments like AWS, Azure, Containers, Git repos and Kubernetes
    – Attacks against Git repos– Attacks leveraging Infrastructure-as-Code scripts– Attacks leveraging cloud IAM
  • Secrets Management for On-Prem Environments:
    – Hashicorp Vault deep-dive among other tools for encryption, secrets management, auditing, dynamic secrets and much more. – Common security patterns and antipatterns for applications deployed on-prem
  • Secrets for Cloud-Native environments:
    – Deep-dive into AWS Secrets Manager, AWS Key Management Service, Azure Key-Vault and so forth. – Common Attack patterns against secrets on the cloud– Proactive Defense for Secrets with IAM privileges, Monitoring and API Access Control
  • Secrets for Kubernetes Environments
    – Rundown of Kubernetes Secrets and inherent deficiencies– Attack for secret exfil from Kubernetes Clusters– Kubernetes Secrets Management Tools– Integration with Vault for RBAC, Cert Management and Secrets Management– Introduction to SPIFFE and Open Policy Agent
  • Secrets for CI/CD Environments

We strongly believe that this training addresses a much-needed focus on secrets and secrets management. Additionally, its been backed by years of research and work with developers, DevOps teams and security teams around secrets management and tools to manage secrets. In addition, we are delivering cutting-edge labs for people to gain mastery over these concepts.

We’re excited to be running this in Blackhat Asia 2020! Let me know if you want additional info on the class. Register here if you’re interested!