Mar 22
Episode 4. Secure Coding — Software Security tools used for Sensitive data in 2022
→ Sensitive information in the application can leak if directly used in the application or pushed in the repository.
→ A good practice is keeping sensitive information like — user, password, application key, secret key, etc (i.e. environment files credentials) in secret manager.
What is a secret manager?
A secret manager is a service that helps you protect access to your applications, services, and IT resources. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, TLS certificates and other secrets needed by an application at runtime.
Let us overview security tools:
1 . Google Secret Manager:
→ Google is a lifesaver for us all.
→ Google Secret Manager also helps us with a secret management tool
→ When Google announced its new service, we were all very excited about it!
→ Sample code for Node.js developer.
// config/secret_manager.jsconst { SecretManagerServiceClient } = require('@google-cloud/secret-manager');const client = new SecretManagerServiceClient();
async function getSecret(name) {
const [version] = await client.accessSecretVersion({ name });
const secretValue = JSON.parse(version.payload.data.toString());
return secretValue;
}module.exports = getSecret;
Besides Node.js, Google provided a library for many other programming languages like Go, Python, .NET Core, PHP, etc.
→ We will love the way it can be easily implemented. Explore google’s secret manager here.
2. AWS Secrets Manager:
→ AWS Secrets Manager helps us quickly rotate, manage, and retrieve database credentials, API keys, and other passwords.
→ Using Secrets Manager, we can secure, analyze, and manage secrets needed to access the AWS Cloud capabilities, on third-party services and on-premises.
Secrets Manager enables us to manage access to secrets using fine-grained permissions. The key features of AWS Secrets Manager are:
- Encrypts secrets at rest using encryption keys.
- Also, it decrypts the secret, and then it transmits securely over TLS.
- Provides code samples that help to call Secrets Manager APIs
- It has client-side caching libraries to improve the availability and reduce the latency of using your secrets.
- Configure Amazon VPC (Virtual Private Cloud) endpoints to keep traffic within the AWS network.
- We can know more about AWS here.
AWS has a solution to every problem 😀
3. Azure Key Vault:
→ If you are hosting an application in Azure, this would be a good choice.
→ Azure Key Vault enables users to manage all secrets (keys, certificates, connection strings, passwords, etc.) for their cloud application at a particular place.
→ It is integrated out of the box with origins and targets of secrets in Azure. Applications outside Azure can further utilize it.
→ We can also improve performance by cutting down the latency of your cloud applications by storing cryptographic keys in the cloud instead of on-premises.
→ Azure helps us to achieve data protection and compliance requirement.
4. Docker secrets:
→ Docker secrets let us easily add the secret to the cluster, and It is only shared over the mutually authenticated TLS connections.
→ Then data is reached to the manager node in Docker secrets, and it automatically saves into the internal Raft store, which ensures that data should be encrypted.
We can see more about docker here.
5. Doppler:
→ From startups to enterprises, thousands of organizations use Doppler to keep their secret and app configuration in sync across environments, team members, and devices.
→ We do not need to share secrets over email, zip files, git, and Slack. We can allow our teams to collaborate so that they have it instantly after the addition of the secret.
→ Doppler gives us a relaxed feeling by automating the process and saving time.
→ We can create references to the frequently used secrets so that a single update in some intervals will do all our work.
→ Doppler CLI knows everything about fetching your secrets based on your project directory.
→ We should not worry if anything changes, we can easily roll back the broken modifications in a single click or via CLI and API.
6. Vault:
→ HashiCorp Vault is a tool for securely storing and accessing secrets.
→ It provides a unified interface to secret while maintaining tight access control and logging a comprehensive audit log.
→ It is a tool that secures user applications and bases to limit the surface space and attack time in a breach. It gives an API that allows access to secrets based on policies. Any user of the API needs to verify and only see the secrets they are authorized to view.
Vault encrypts data using 256-bit AES with GCM.
7. Akeyless Vault:
→ Akeyless Vault is a unified, end-to-end secrets management SaaS-based platform, protecting all types of credentials, both static & dynamic, including certificates automation and encryption keys.
→ Besides, it provides a unique solution to secure remote access (zero-trust) to all the resources across legacy, multi-cloud and hybrid environments.
→ Akeyless protects secrets & keys using a built-in FIPS 140–2 certified and patented technology; it has zero knowledge of its customers’ secrets & keys.
The key features include:
- Globally available, SaaS-based platform that offers a built-in high availability (HA) and disaster recovery (DR) by leveraging cloud-native architecture on top of a multi-region and multi-cloud service.
- Advanced secrets management provides a secure vault for static & dynamic secrets such as passwords, credentials, API keys, tokens, etc.
- Akeyless Vault enables provisioning and injection of all types of secrets to all your servers, applications, and workloads, providing a wide variety of plugins that allow you to connect to all your DevOps and IT Platforms such as CI/CD, configuration management, and orchestration tools such as Kubernetes & Docker.
Fastest-time-to-production because:
- SaaS — no deployment, installation, or maintenance necessary
- Instant onboarding with automatic migration of secrets from known existing secrets repositories
The platform supports two more pillars:
- Zero-Trust Application Access (AKA Remote Access) by providing unified authentication and just-in-time access credentials, allowing you to secure the perimeter-less applications and infrastructure.
- Encryption as-a-Service, to allow customers to protect sensitive personal & business data by applying advanced FIPS 140–2 certified app-level encryption.
8. Confidant:
→ Confidant is an open-source secret management tool that maintains user-friendly storage and access to secrets securely.
→ It stores secrets in an append way in DynamoDB and generate a unique KMS data key for every modification of all the secret, using Fernet symmetric authenticated cryptography.
It provides an AngularJS web interface that provides end-users to efficiently manage secrets, the forms of secrets to services, and the record of changes. Some of the features include:
- KMS Authentication
- At-rest encryption of versioned secrets
- A user-friendly web interface for managing secrets
- Generate tokens that can be applied for service-to-service authentication or to pass encrypted messages between services.
9. Knox:
Knox was developed by the social media platform Pintaerest to solve their problem with managing keys manually and keeping an audit trail. Knox is written in Go, and clients communicate with the Knox server using a REST API.
Knox uses a volatile temporary database for storing keys. It encrypts the data stored in the database using AES-GCM with a master encryption key. Knox is also available as a Docker image.
10. Strongbox:
Strongbox is a handy tool that handles, stores, and retrieves secrets such as access tokens, private certificates, and encryption keys. Strongbox is a client-side convenience layer. It maintains the AWS resources for you, and it also securely configures them.
Video:
Closing Thoughts:
In this article, we have seen the latest security tools. The important takeaway is every project requires a separate secret manager.
If our application is deployed in AWS, AWS Secret Manager may be a good choice. Every software have their uniqueness, do try them team, will love it ❤️
Thank you for reading till the end 🙌 . If you enjoyed this article or learned something new, support me by clicking the share button below to reach more people and/or give me a follow on Twitter and subscribe Happy Learnings !! to see some other tips, articles, and things I learn about and share there.
