The key to successful secrets management is to make the best way the easiest way

AdminTeam April 26, 2024

Most organizations understand the value of secrets management — which is the practice of securely storing development credentials like API keys, certificates, and SSH keys — but not all organizations are following secure secrets management practices.

According to the secrets management provider Bitwarden’s 2024 developer survey, which polled 600 developers across different industries, 86% of companies use a secrets management solution, leaving 14% who still don’t.

A 2023 Sophos report found that compromised credentials are the root cause of 50% of the attacks its incident response team studied. And according to GitGuardian’s 2024 State of Secrets Sprawl Report, 12.7 million secrets were detected in public GitHub commits in 2023, which was a 28% increase from the previous year.

“Of course, that’s a massive issue for any organization who is trying to keep customer data secure. So it’s incredibly important for any developer to adhere to proper secrets management practices,” said Max Power, product lead for Bitwarden Secrets Manager.

Organizations know that they need to do better, but there are many things that tend to get left behind by developers when they’re under pressure to deliver faster, and secrets management is unfortunately one of them.

Nic Manoogian, engineering manager at secrets management platform Doppler, believes that in order to successfully implement good secrets management practices, teams should make it work with their existing workflows.

“Evaluate your options and really try to make sure that whatever you’re doing fits into a workflow that’s sustainable for you, that’s probably my biggest advice,” said Manoogian.

Brian Vallelunga, founder and CEO of Doppler, agreed, saying “if you don’t tackle the building it into your workflow part, then it’s just not going to get used and then there’s no value.”

He explained that there are many ways to store secrets, from the least secure method of just storing them in text files to the most secure option of using a platform designed specifically for securely keeping the information.

Using a secrets management system is beneficial, not just because it is more secure, but it avoids developers having to manage a patchwork of files or different systems where secrets are kept, which actually introduces more friction into development teams.

“The art and practice of secrets management is keeping those secrets secure, while also making them accessible to developers in the moments they need them with the right access controls and auditing in place,” said Vallelunga.

Vallelunga recommends making sure that your secrets management practice can be synced across teams and parts of the software development life cycle, otherwise it can lead to more issues.

For instance, imagine a scenario where one developer adds a piece of code that requires a secret, and then other developers are working on that code too, but don’t have access to that secret. That can lead to broken builds and lost development time as developers work to track down the proper secret.

Power says “the goal is to make it as easy as possible to collaborate with these secrets and to share secrets in a secure manner across human users, but also across machine use and between services, between CD pipelines, different environments, and so on.”

According to the respondents of Bitwarden’s Developer Survey, the top priority development teams have when buying a secrets management solution is ease of integration with other tools. Other top factors include company security posture, features, the vendor’s reputation, and scalability.

How secrets management can be a tool in building strong engineering cultures

SEO tool company AccuRanker uses Bitwarden to manage its secrets, and the company has found that having good tooling around secrets management has been important in building its engineering culture.

Its chief technical officer Henrik Refslund says that if there isn’t a process in place or good tools to manage things, developers who are pressed for time will often resort to the easiest option available. “Ideally, in a perfect world, you want to be secure by default. You want secure to be the easiest choice for developers,” he said.

He said that at AccuRanker, secrets management has become a part of efforts to improve the developer experience. Recognizing that we’re in a market where good developers are hard to come by and retaining developers can also be a challenge, maintaining good developer experience is a big goal for the company.

This requires both policies and tooling that go hand in hand and support each other. “With proper tooling, we were able to set these policies, we were able to create rules and best practices … if you deal with this right, if you create the proper processes and guidelines for this, it helps to build a sound engineering culture around security.”