Admit it: we've all checked in an API key or password to a repo at some point... Oops... No one wants their secrets to accidentally leak, so this session is your essential refresher on secret management (and mismanagement!) for your applications and beyond!
Let's explore the range of methods and benefits of securely handling secrets for local development: from features baked into your IDE (Visual Studio, Rider), to secret management services (Azure KeyVault, AWS / GCP Secret Manager), and even loading them from your password manager of choice (i.e. 1Password). We'll progress to look at accessing secrets as part of a CI/CD pipeline, or loading them into infrastructure at runtime, to eliminate hard-coded secrets from every aspect of our projects.
What about when things inevitably go slightly wrong...?
We will follow the stories of a few real world breaches: what went wrong, how we responded, the lessons we learnt, and how that feeds back into our processes.
I will discuss the processes we have implemented with our clients to manage secrets on a large scale – including following a least trust approach, methods for revoking and cycling credentials, and appropriately mapping our dependencies so we can measure the impact of a change.
Finally, we will look at the ways automation can help, including configuring automatic secret detection tools (GitHub and Azure DevOps) and CodeQL checks in our pipelines.
Callum Whyte is a x4 Microsoft MVP and x6 Umbraco MVP specialising in building robust scalable solutions on Azure and the .NET stack, as well as websites with the open-source Umbraco CMS.
Away from his desk you can find him organising community events; from local meetups and hackathons, to global conferences and roadshows. He’s an active contributor to open source projects, a regular speaker at events all over the world, as well as co-host of a weekly YouTube series “UmbraCoffee”!