Topics Map > Safety and security
Secret Management Resources for Software Developers
Introduction
The purpose of this document is to help developers and operations (DevOps) staff associated with the University of Illinois fulfill their responsibility to comply with Illinois Cybersecurity standards, including IT05, IT07, and IT08.
General Guidelines
Healthy secret management practices reduce harm during cybersecurity incidents.
When a secret is compromised, immediately follow steps to Report a Cybersecurity Incident.
Three ways to reduce risks when managing secrets are issuing less dangerous secrets, controlling access to secrets, and not keeping any given secret around for too long.
Issue Secrets following the Principle of Least Privilege
When a secret is compromised, damage is mitigated if that secret has fewer privileges. Follow the Principle of Least Privilege when issuing secrets, even if doing so requires issuing more secrets.
- Issuing a larger number of secrets can help ensure each secret has fewer privileges.
- Security incidents on campus have been lessened in scope thanks to each secret carrying fewer privileges.
- When issuing more secrets becomes a burden, consider adopting a secret manager such as BitWarden, HashiCorp Vault, or a version of KeePass.
Control Access to Secrets
It is tempting to design secret management assuming that all software involved will behave as expected at all times; and of course, this is unrealistic.
When bad actors have gained unauthorized access to campus resources, well-controlled secrets have reduced the harm done.
- Ensure that any secrets at rest are only accessible by appropriate staff.
- Use the preferred encryption-at-rest solutions for your team and environment.
- Prefer managed full disk encryption and secret managers over one-off encryption solutions.
- Clear sensitive variables after use in long running code.
- This can be accomplished by destroying objects or writing an empty value to variables, after use.
- Clearing variables after use can prevent secrets from being logged unexpectedly during a crash.
- The campus Protected Email Attachment Repository (PEAR) can be used to safely issue secrets to colleagues.
Rotate Secrets
When a secret is compromised, damage is mitigated by contacting someone who can rotate the secret in a timely manner. Consider adding an endpoints table to your documentation to track contact information for secrets issued by other teams. See Cybersecurity, Endpoint and Data Stores Documentation Examples for more information.
When campus secrets have been compromised, the happiest DevOps staff were those able to immediately rotate the compromised secrets in a reliable, automated, and well-tested way.
- Use automation to rotate secrets.
- Use of automation to rotate secrets can prevent service outages.
- We recommend rotating secrets at least every 90 days.
- More sensitive secrets should be rotated more often.
- When secret rotation becomes a burden, consider adopting a secret automation platform such as HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault.