Rules

Secret ingredients to quality software

Edit
Info

Do you store your secrets securely?

Created on 28 Apr 2016 | Last updated by Tiago Araújo [SSW] on 01 Apr 2021 04:28 PM (21 days ago)

Most systems will have variables that need to be stored securely; OpenId shared secret keys, connection strings, and API tokens to name a few.

These secrets must not be stored in source control in plain text – it is insecure by nature, and basically means that it is sitting.

There are many options for managing secrets in a secure way:

Bad Practices

Store production passwords in source control protected with the ASP.NET IIS Registration Tool

Pros:

  • Minimal change to existing process – no need for DPAPI or a dedicated Release Management (RM) tool
  • Simple and easy to understand

Cons:

  • Need to manually give the app pool identity ability to read the default RSA key container
  • Difficult to manage production and non-production config settings
  • Developers can easily decrypt and access the production password
  • Manual transmission of the password from the key store to the encrypted config file

Figure: Bad practice - Overall rating: 2/10

Use Windows Identity instead of username/ password

Pros:

  • Minimal change to existing process – no need for DPAPI or a dedicated RM tool
  • Simple and easy to understand

Cons:

  • Difficult to manage production and non-production config settings
  • Not generally applicable to all secured resources
  • Can hit firewall snags with Kerberos and AD ports
  • Vulnerable to DOS attacks related to password lockout policies
  • Has key-person reliance on network admin

Figure: Bad practice - Overall rating: 4/10

Use External Configuration Files

Pros:

  • Simple to understand and implement

Cons:

  • Makes setting up projects the first time very hard
  • Easy to accidentally check the external config file into source control
  • Still need DPAPI to protect the external config file
  • No clear way to manage the DevOps process for external config files

Figure: Bad practice - Overall rating: 1/10

Good Practices

Use Octopus/ VSTS RM secret management, with passwords sourced from KeePass

Pros:

  • Scalable and secure
  • General industry best practice - great for organizations of most sizes below large corporate

Cons:

  • Password reset process is still manual
  • DPAPI still needed

Figure: Good practice - Overall rating: 8/10

Use Enterprise Secret Management Tool – LastPass/ Hashicorp Vault/ etc..

Pros:

  • Enterprise grade – supports cryptographically strong passwords, auditing of secret access and dynamic secrets
  • Supports hierarchy of secrets
  • API interface for interfacing with other tools
  • Password transmission can be done without a human in the chain

Cons:

  • More complex to install and administer
  • DPAPI still needed for config files at rest

Figure: Good practice -  Overall rating: 8/10

Use Azure KeyVault

See the SSW Rewards mobile app repository for how SSW is using this in a production application: https://github.com/SSWConsulting/SSW.Rewards

Pros:

  • Best solution for cloud (Azure) solutions
  • Enterprise grade
  • Uses industry standard best encryption
  • Dynamically cycles secrets
  • Access granted based on Azure AD permissions - no need to 'securely' share passwords with colleagues
  • Can be used to inject secrets in your CI/CD pipelines for non-cloud solutions

Cons:

Figure: Good Practice - Overall rating 9/10

Adam CoganAdam Cogan
Mehmet OzdemirMehmet Ozdemir
Brendan RichardsBrendan Richards
Andrew LeanAndrew Lean

We open source. This page is on GitHub