Developers Want Convenient Secrets Management Solutions

It’s late in the afternoon on a Friday, and your coworker messages you about access they need to a system you’re working on. You are both almost done with your work for the week and want to go home. Instead of looping in a third or fourth person to update your coworker’s permissions for access to the service, or telling them how to track down the location of the secret in your secrets management service, you elect to send them the credentials they need in a private message.

Come Monday, the entire office is in a panic. Over the weekend, a hacker got into your system through a valid account, moved laterally into other internal systems, and exfiltrated sensitive client financial information. The culprit? Your coworker clicked on a phishing email that gave the hacker access to their computer, including the messaging service with the plaintext secret you sent.

This example is more common than you might think, and it happens in organizations of every size. In July 2024, a group calling itself NullBulge published more than a terabyte of data it claims is from Disney’s internal Slack archive. Some of the leaked data? Login credentials, internal websites, and APIs. Similarly, in June 2024, a major breach at Snowflake exposed customer bank account details. Hackers gained access to a computer belonging to an employee of a Snowflake partner and accessed Snowflake’s Jira to find credentials to unprotected accounts.

In these instances, the messaging service itself wasn't compromised, rather the hackers gained access to a single computer that could view those messages. While any unauthorized access to internal Slack, Jira, or other messaging services is definitely bad news, this access wouldn’t have been as catastrophic if sensitive information hadn’t been shared in those channels.

Compromised credentials are golden geese for hackers as they give free access to valid accounts within the system, allowing for easy lateral movement, defense disabling, privilege escalation, and data exfiltration. Sophos’ Active Adversary Report for Tech Leaders sheds some light on the numbers here:

According to the report, system vulnerabilities took the top spot in the root cause of attacks in the past, but in the first six months of 2023 (the scope of this report), compromised credentials leading to abuse of valid accounts took the top spot with a whopping 50% of measured root causes, whereas exploited vulnerabilities only came in at 23%. Pair this with nearly 40% of investigated breach cases lacking Multi-Factor Authentication, and the attack avenues become clear. The U.S. Cybersecurity and Infrastructure Security Agency also reported more than half (54%) of initial access in cases they studied came through valid accounts.

So What’s Going On?

According to Bitwarden’s 2024 Developer Survey, 60% of respondents were managing more than 100 secrets, and more than half were spending 10 or more hours a week on secrets management. If developers are spending a quarter or more of their workweek on just secrets management, it’s easy to see how they could slip into more convenient solutions, even if those solutions weren’t secure. Sharing credentials over Slack, Jira, or Teams is incredibly convenient for access and saves time when developers don’t have an efficient or secure system to use.

This isn’t conjecture, either. The survey also noted that although 85% of developers used secrets management tools, 65% still hard-coded their secrets in source code, and 55% shared secrets via plain text in spreadsheets or messaging apps. It’s clear that vulnerable development practices aren’t just caused by a lack of secrets management tools, but rather these secrets management tools are insufficient for developer use.

It doesn’t stop there, though. 96% of developers in the survey responded that continuous security training for development teams was Very Important or Extremely Important, yet nearly half also responded that they only undergo such training once a year or less. These gaps underlie both the lack of usable and efficient secrets management tools and the continued use of vulnerable practices like sharing secrets in plaintext messages.

This combination of many secrets, lack of continuous education, and disuse of secrets management tools add up fast. In fact, 76% of respondents report having been impacted by a data breach in the last year, and 24% report substantial damage from data breaches.

Developers want solutions that are efficient, integrate quickly and immediately into their workflow, and are secure-by-design. This is particularly important in fast-paced development environments where resources are distributed based on platform necessity, with security posture often falling to the wayside.

What’s the Fix?

Developers know what they want. 94% of respondents cited Secure-By-Design principles as Very or Extremely Important. They include in their requirements other critical metrics, like integration with existing systems, features that help meet industry and government compliance standards, scalability, usability, and cost implications.

Meet Doppler:

Development:

Doppler inserts directly into your workflow with a host of SDK and other integrations and automatically syncs secrets across the team to ensure everyone is always up-to-date. It also fully integrates with VS Code with syntax highlighting and autocomplete features. Use VS Code split screens to see your secrets side-by-side with your code and quickly inspect your secrets by hovering over an environment variable.

Check out how Doppler’s CLI can make injecting your secrets as environmental variables at run time secure and convenient. The CLI features universal support, natively supporting every language, framework, and infrastructure. If you prefer coding in Vim or EMACs, Doppler’s Terminal User Interface is a lazygit style editor with all the familiar keybindings.

Scale:

Doppler isn’t a one-size fits all, either. Custom workflows allow your business to tailor your secrets management solution to fit your specific compliance needs, with flexible configuration options for teams of any size.

Compliance:

Secure secrets management is a significant component of industry, national, and international data privacy regulatory acts. SOC2 and ISO Requirements like dynamic secrets, automatic rotation, and secure encryption are made trivial with Doppler’s features. Conduct in-depth audits thanks to comprehensive logging and reporting.

Combining Doppler’s features with frequent developer education can considerably improve security posture. If you’d like to find out if Doppler is the right solution to improve security for your team, check out a more in-depth look at Doppler’s features!