We're all used to using our various usernames and passwords when we log into any of our online accounts. As the number of online accounts pile up, we realize there's a need to keep track of our personal credentials. If these passwords aren't managed properly, it becomes a serious distraction and cause of anxiety. Poor management of credentials leads to majority security risks that often gets shrugged off until something happens.
The same is true within the API space and the risks are greatly multiplied when engineers need to manage a list of API keys. The risk is compounded when poor practices lead to storing these secret keys in plain text on an engineer's computer, where it could accidentally git pushed to GitHub.
We can see an example of this with AWS API keys here (photo courtesy of HackerNoon):
As silly as that sounds, this happens more often than you may think. Here's just one example of what can happen when even a single engineer of a team improperly handles their keys: https://www.quora.com/My-AWS-account-was-hacked-and-I-have-a-50-000-bill-how-can-I-reduce-the-amount-I-need-to-pay
What happens when not just one private key is leaked? Potentially a whole file of keys with read & write access to online or internal services that store customer data, payment methods, and confidential information.
Common practice is to create a file (.env) for storing environmental variables in plain text for all your engineers to see. But there is no security, access control, or audit logs built-in. You don't know who is using your keys and when, unsuspected fraud slips all too often. This process is completely manual, very error-prone, and completely insecure.
As an overview, what are some ways that keys get leaked?
• Your API Key has accidentally been committed in your repository
• Your server got hacked and no keys were vaulted
• Lack of access control and built in trust layers among developers
• A former contractor or employee still has a file of active secret keys
• Unauthorized user got ahold of your secret keys
The security of your company's secrets rests in the hands of your engineers. The moment you have more than a single engineer, there starts to be growing worries around how to best keep your keys secure as well as how to keep engineers in sync as new api keys and secrets are added or modified. It becomes even more scary when engineers are off-boarded, but are leaving with the secrets file you gave them during their employment. Now think about a remote engineer that you never met who did contract work for you...
It's never too early to set up a solid foundation for maintaining the security of your keys and managing environments without the growing pains your company experiences when it's too late and/or too costly to do so.
It's 10 minutes to set up now, and will save you limitless days of headaches and pain later. Get Started with Doppler and your first 14 days are completely covered.