------Why
This Working Session will focus on secrets management - a key element of DevSecOps.
Secrets are being used everywhere nowadays with the DevOps movement. API keys, database credentials, IAM permissions, SSH keys, certificates, etc. Many organizations have them hard coded in source code, littered throughout configuration files and configuration management tools, and stored in plaintext in version control.
There is a big need in the centralizations of secrets to improve the security posture and preventing secrets from leaking and compromizing the organization. Most of the time, services are sharing the same secrets that make identifying the source of compromise or leak very challenging.
Because technologies like Containers, Kubernetes, Cloud Native are in full swing, the need for guidance around proper secrets management is at hand. This session aims at starting a new OWASP Cheat Sheet around secrets management.
What
Identify best practices for Secrets Management (containers, cloud (AWS, Azure, GCP), applications, etc)
Provide guidance in how to do proper secrets management across different environments
Agree what to include in an OWASP Cheat Sheet
Outcomes
This Working Session will publish:
A set of best practices for DevSecOps engineers
The start of an OWASP Cheat Sheet for secrets management
Who
DevSecOps engineers
Security professionals
CISOs
Developers
Operators