If you have read the news lately, then like many, you are on the edge of your seat wondering if your password or keys were part of the leaks or checking your repositories if yours is still even there or just concerned about the security of your applications.
What you do not hear about are the weeks and months companies spend post such events identifying and mitigating these issues. So why such a long time? One of the root causes are the manual processes that they use to ensure secure sharing of credentials also obscure their view of the impact a breach of secrets will have. Take the case of the recent Git breach. The cause has been identified to be the storage of git keys in plain text on deployment of services. For a company that has 100s of services deployed in various platforms and solutions, identifying the sources impacted and mitigiating all sites, then releasing a patch would naturally take weeks. And the longer the mitigation takes, the worse is the damage to a company's reputation.
When something like the Github breach, the DockerHub breach or the Uber github breach happens, the first response after mitigation, is to establish rules or processes to stop the practice that lead to it. Be it by putting encrypted keys rather than plain text or using environment variable rather than git repositories. While these actions may prevent this particular type of breach, there are several other avenues that still remain like local stored credentials on developer laptops to just plain human error of committing unencrypted keys to the wrong place, just to name a few. Now if you add malicious intent and targetted attacks to the mix, it is a never ending problem, with significant resources being expended every time.
While we at ConfigTree advocate all such security practices and more, we believe in preparing for the worst case scenario. The objective is to have a speedy identification and mitigation process, and a centralized application configuration management tool will help you get there. Our service behaves as a catalogue on a per application and per environment basis of the keys used within each application and using our permission management system, you can easily lock them down to prevent any further access while you mitigate the issue. Since ConfigTree serves as a point of collaboration, the need to needlessly share configuration is removed, resulting in less chances of insecure transmission.
Combined with security best practices, using ConfigTree not only helps you lower the risk of such security concerns, but in the event of a breach, helps you recover efficiently!