Unf*#k
your secrets

Secrets sprawl is the smoke before the fire. Here's the TL;DR you never knew you needed but always deserved.

Part 1 of 6

What are secrets?

Secrets are passwords for your code and infrastructure, typically used to authenticate to databases and SaaS services. It's almost impossible to build software applications without them. They often take many forms:

API Keys & Tokens

Common among SaaS providers (ex: Stripe) as the preferred method to authenticate to their API and SDKs.

sk_test_4eC39HqLyjWDarjtT1zdp7dc

Database URLs

Databases (ex: Postgres) prefer a username and password authentication method, which is often included in the connection url.

psql://<user>:<pass>@<host>/<db>

Encryption Keys & Certs

A key used in combination with an algorithm to transform plaintext into ciphertext (encryption) and vice versa (decryption).

tLyTq|MaJ<.{m,e7fR;4Z+ox/~>0$iASjuNRs+)]n)

SSH Keys

Pairs of public and private keys used to establish an encrypted communication channel with a remote server.

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAklOUpkDHrfHY17SbrmTIpNLTGK9Tjom/BWDSU

Privileged Credentials

Similar to SSH Keys, credentials are username and password pairings used to authenticate to an internal or external system.

<username> : <password>

Configuration

Key value pairings used to configure code on execution. While they aren't sensitive, they are used in the same way other secrets are.

ENABLE_EXPERIMENT_V2: true

Part 2 of 6

Why do secrets matter?

Unlike human passwords which grant access to an individual user's account, secrets often grant access to an entire organization's services. Most services enable developers to fully manage their offering through code and APIs accessed through secrets.

Most companies have a database, payment processor, and cloud infrastructure provider. Here are a couple of examples to bring the point home:

  • Database URL typically grants access to the entire database
  • API Key for a payment processor like Stripe which has manage permissions to all customer credit cards, banks, transactions, invoices, etc
  • Service Account Key with a cloud provider such as AWS can have direct access to all of your production infrastructure

In the wrong hands, the damage a single secret can enact is enormous as the data and actions it unlocks impact not only the company but its customers. Highly sophisticated attackers will attempt to leverage one compromised system to gain access to others, exponentially compounding your exposure.

Part 3 of 6

Do we have a sprawl problem?

Secrets are the literal keys to your data kingdom. It's critical your organization is able to answer these questions. If not, you have likely found a severe sprawl problem increasing your risk exposure every day it persists.

Where are all my secrets?

To protect your secrets, you must know where they are. This includes laptops, codebases, 3rd party tools, and your infrastructure.

Who has access?

Enforcing granular access controls and auditing accessed secrets are critical measures for preventing breaches.

Can I remediate a breach?

When a breach happens, you need to: isolate the leaked secrets, revoke them, and issue new ones without downtime.

Part 4 of 6

What's my risk exposure?

Drag the slider to guesstimate your number of secrets at risk by inputting your number of internal services, repositories, codebases, and/or projects.

50 projects
Avg Team Size

How many software engineers on average work on a project?

3 environments

Development, staging, and production

25 secrets

Average number of secrets per environment based on Doppler data.

7,500 secrets

Estimated count of at-risk secrets that are actively being used by your engineering team and infrastructure.

A malicious actor only needs one.

Part 5 of 6

What are the risks of a breach?

Companies are required by law to notify their customers after a breach, often leading to compounding events that are difficult to recover from.

Brand Reputation

Users trust the services they use with their data. When that data is lost or leaked, it can irrevocably break their trust.

Customer Churn

Customers pick the services they trust. When trust is lost, they often quickly find and switch to an alternative.

Unplanned Spend

Mounting costs from legal and public relations, to indemnity payouts and insurance premiums can break your financial projections.

Operational Distractions

Security teams need to reissue all secrets after a breach. Doing this manually often takes multiple months and service downtime.

Regulatory Scrutiny

Regulatory committees tasked with protecting it's citizens actively track high profile breaches and will take action when needed.

Litigation

Lacking proper secrets management may be consider negligence, opening the company up to litigation or even a class action lawsuit.

Part 6 of 6

Meet Doppler

The developer-first security platform that empowers teams to manage, orchestrate, and govern secrets at scale. It's maintenance-free and integrates with your infrastructure via our 50+ integrations.