HashiConf The full conference agenda's now LIVE. Buy your pass and plan your schedule. Register
Well-Architected Framework
Well-Architected Framework Home

Identify leaked secrets

Organizations should use a defense-in-depth approach. Defense-in-depth is a security strategy that uses multiple layers of security and controls to protect data rather than relying on any single protective measure.

To start building out your defense-in-depth strategy for leaked secrets, you should start with a solution to scan for and identify secrets in various data sources. Common types of data sources you should monitor include:

  • Version control systems (VCS) such as BitBucket, GitHub, or GitLab.
  • Documentation and communication systems such as Confluence, Google Docs, or Slack.
  • General storage locations like local file systems, or cloud storage such as Amazon S3.
  • Local developer environments, or CI/CD systems and supporting services such as Docker.

HCP Vault Radar scans your data sources for secrets and integrates with various providers to alert your teams when they find a secret. Vault Radar supports multiple scanning options to support your workloads and data confidentiality requirements. You can use the cloud scanner for publicly accessible systems, (such as GitHub) or the Vault Radar agent for on-premises systems (like self-hosted Confluence). Alternatively, you can use the Vault Radar CLI to integrate with local developer environments or CI/CD systems.

Vault Radar also prioritizes the severity of the leaked secret. For example, it can identify if the secret is a placeholder or example text versus a real secret. Radar helps your security team prioritize the remediation of the leaked secret.

However, no amount of technical scanning and detection capabilities will be effective if your team members are afraid to report mistakes or potential security incidents. Creating a positive, blameless culture is essential — when people fear losing their jobs for admitting errors, they will hide their mistakes rather than focus on fixing the underlying processes that allowed the incident to occur.

The Google SRE book advises removing blame from the incident response process. This includes a "focus on identifying the contributing causes of the incident without indicting any individual or team for bad or inappropriate behavior."

HashiCorp resources:

Next steps

In this section of how to manage leaked secrets, you learned about how to identify leaked secrets in your organization. Managing leaked secrets is part of the Secure systems pillar.

Edit this page on GitHub