From maintenance to innovation: The cultural impact of managed secrets

From maintenance to innovation

Secrets management is here to stay. It’s already essential to the standard operating procedure in the modern tech industry, especially sectors concerned with protected information (MedTech, FinTech). Government and industry regulations necessitate proper handling of secrets to achieve compliance. Across all fields, practices like secrets rotation are generally understood to improve security posture.

Solutions for secrets management differ widely, from in-house to professional secrets managers. First and foremost, a secrets management solution must be secure. Secrets are called secrets for a reason, they are only supposed to be accessed by the right entities at the right times. Secrets management solutions should include encrypted, centralized storage to prevent unauthorized access to sensitive information.

Secrets management isn’t just about security, though. Solutions need to be effective and efficient, or they raise a whole host of problems.

The problem with inefficiency

According to Bitwarden’s 2024 Developer Survey, 60% of respondents managed more than 100 secrets, and more than half spent 10 or more hours a week just on secrets management. If developers spend a quarter or more of their workweek on secrets management, how often might they turn to less secure practices?

Here’s how often: although 85% of developers used secrets management tools, 65% still hard-coded their secrets in source code, and 55% shared secrets via plaintext in spreadsheets or messaging apps. Sharing credentials over messaging services like Slack, Jira, or Teams is incredibly convenient for quick access, and saves developers time in the absence of an efficient system to use, but it’s among the leading causes of data breaches.

Sharing secrets over insecure channels is more common than you might think, and it happens in organizations of every size. In July 2024, a hacking group published more than a terabyte of data it claimed was from Disney’s internal Slack archive. Included in the leaked data were login credentials, internal websites, and APIs. Similarly, in June 2024, a major breach at Snowflake exposed customer bank account details. Hackers gained access to a computer belonging to an employee of a Snowflake partner and accessed Snowflake’s Jira to find credentials for unprotected accounts. In these instances, the messaging service itself wasn't compromised, rather the hackers gained access to a computer that could view those messages.

Inefficient tools lead to insecure habits

It’s tempting to consider this an issue of education or discipline. Had the developers sharing their secrets in plaintext been trained about how easy they were to acquire, or had they been disciplined enough to use their clunky, but secure secrets management system every time, these issues would’ve been avoided. There’s some truth to that. It isn’t the whole truth, though. Why do developers avoid their secrets managers?

Developers know what they want. 94% of survey respondents cited Secure-By-Design principles as Very or Extremely Important. They include in their requirements other critical requirements, like integration with existing systems, features that help meet compliance standards, scalability, usability, and cost implications. It isn’t that developers don’t want to use secrets management systems, but that their current secrets managers are inefficient.

What If secrets management empowered developers?

A secrets management solution must be secure. Without security, secrets aren’t secret anymore. So what about the other metrics? These are the performance metrics of secrets management that affect the rest of the workflow:

Time

Every manual action in secrets management takes time. In a fast-paced development environment, developers must remain up-to-date with the secrets of their team, project, and environment, or they risk errors associated with mismatched secrets.

Reliability

A secrets management solution needs to work every time. If 99% of secrets are protected and encrypted, a hacker may still use the remaining secrets to wreak havoc across the platform.

Satisfaction

Developers are people too! Poor secrets management solutions lead to frustration, which can lead to decreased performance and burnout. Keeping developers satisfied means equipping them with tools that support their work, not hinder it.

A practical example

A dozen developers working together use .env files to load their secrets before application runtime. Any time a secret is created, altered, or removed, this .env file must be updated across every developer or version mismatches will break their build. In self-hosted solutions, sharing this file is manual. A developer distributes the new file using a (hopefully) secure channel, and other developers update their own to correspond. Development is paused until everyone is updated appropriately.

At best, this is inefficient, but it also introduces plenty of risks. Some are security risks (hackers intercepting files in transit); others include developer frustration (debugging time for version mismatch, developer error in the update process). Manual action takes time and is unreliable. Debugging, pausing, and updating are unsatisfying, more so if these issues are easily avoidable.

A professional secrets management solution has built-in tools for this practice. If a developer adds or alters a secret in a Doppler Config (a more versatile replacement for the .env), this secret can be automatically distributed or updated across any or all developers in any or all selected environments. Tools like these immediately remove the time spent manually updating. The feature saves time, is reliable, and removes obstacles to developer satisfaction.

Efficiency begets innovation

Managing secrets isn’t where inspiration comes from. It’s necessary, but it isn’t a part of the SPACE framework, DORA metrics, or any other developer efficiency and satisfaction measure. The best secrets manager is one that isn’t a chore, it’s a solution that is secure by design and doesn’t get in the developer’s way, so they can focus on those long stretches of flow-state which many credit for their best work. Shifting from self-hosted secrets management solutions to professionally managed solutions reduces the frustration that leads to developer burnout and improves collaborative ability.

Doppler supports your team today and as you scale

Professional secrets management solutions like Doppler can make your life easier. They work alongside development tools and their parent companies, such as AWS, Terraform, Kubernetes, GitHub, Okta, Azure, and more, to ensure their users can work in their preferred development environment.

.As services evolve, teams grow, integrations expand, new tools are introduced, or platform hosts change entirely, secrets management solutions must adapt to stay functional and relevant. Managed solutions perform this update for you, so your team can spend more time on innovation.

Doppler already fits directly into your CI/CD pipeline with its extensive host of integrations, and its development team will ensure it continues to work optimally with your preferred development tools and environments well into the future.

Doppler offers a suite of features that ensure secrets management is as secure as it is efficient. Check out a free demo to see if Doppler is the right fit for your team now and as you scale.