AppSecUSA 2015

Getting credential storage right is not easy. You may be using PKI correctly, you may be careful not to check passwords into your source code repository, but you need to put your secrets somewhere.

You can encrypt them, but where do you put the key to access them? You password-encrypt that key, but where do you put that password? You can encrypt it with a key and protect that key with a password! Oh wait…

Sometimes the development and QA teams need credentials to interact with a third party service to do their jobs. And, of course, your application can’t integrate without credentials of its own. Sometimes the credentials are API keys. Sometimes they are usernames and passwords (unfortunately). Sometimes you have private key for signing or encryption. Even when you are lucky enough to be able to reach multiple services through the a single SSO login, you still need somewhere to put the SSO credentials.

The available strategies and tools depend on the platform, the types of credentials you need to store, where you deploy, and the level of security you expect from your credentials and the assets they protect.

This talk will be a survey of the available tools, technologies, and strategies developers can utilize to improve how their secrets are managed throughout development, testing, and deployment. The talk will cover both data center and cloud-based deployments, paying special attention to open-source tools available for common enterprise platforms. Discussion will center around advantages and disadvantages of each option in order to help developers and operational teams find the solution or solutions most appropriate to their applications and organizations.