AppSecUSA 2015 has ended
AppSecUSA 2015 - Buy ticket at http://2015.appsecusa.org/buy/
Back To Schedule
Friday, September 25 • 2:00pm - 2:55pm
Turtles All the Way Down: Storing Secrets in the Cloud and the Data Center

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Getting credential storage right is not easy. You may be using PKI correctly, you may be careful not to check passwords into your source code repository, but you need to put your secrets somewhere.

You can encrypt them, but where do you put the key to access them? You password-encrypt that key, but where do you put that password? You can encrypt it with a key and protect that key with a password! Oh wait…

Sometimes the development and QA teams need credentials to interact with a third party service to do their jobs. And, of course, your application can’t integrate without credentials of its own. Sometimes the credentials are API keys. Sometimes they are usernames and passwords (unfortunately). Sometimes you have private key for signing or encryption. Even when you are lucky enough to be able to reach multiple services through the a single SSO login, you still need somewhere to put the SSO credentials.

The available strategies and tools depend on the platform, the types of credentials you need to store, where you deploy, and the level of security you expect from your credentials and the assets they protect.

This talk will be a survey of the available tools, technologies, and strategies developers can utilize to improve how their secrets are managed throughout development, testing, and deployment. The talk will cover both data center and cloud-based deployments, paying special attention to open-source tools available for common enterprise platforms. Discussion will center around advantages and disadvantages of each option in order to help developers and operational teams find the solution or solutions most appropriate to their applications and organizations.

avatar for Daniel Somerfield

Daniel Somerfield

Lead Consulting Developer, ThoughtWorks
Daniel Somerfield has been over 15 years experience developing software for retail sales, corporate communications, enterprise development, and IT security and compliance. In 1997 he co-founded ISNetworks, a company specializing in digital signature and encryption technologies. While... Read More →

Friday September 25, 2015 2:00pm - 2:55pm PDT
Room A