You probably are here because you leaked a secret somewhere and want to get straight to rotating the secret.
If you are a solo developer or you know for sure you are the only user of the secret and understand what rotating the secret might disrupt, start here: Rotate the secret and store the new credential safely.
When a secret leak occurs, no matter what form it takes, it is likely your first instinct to rotate the affected secret.
Find out what will break when you rotate the secret.
Rotate the secret and store the new credential safely.
Review the incident and create an action plan to avoid further secret leakage.
Ideally, you and your security team have made a step-by-step plan to gather data and evaluate the secret and what systems it impacts, see if the credential has been used in an unauthorized way, and then rotate the secret in a way that causes the least disruption.
Let's walk through the elements of a good secrets incident response plan in more detail.
You can quickly check if the secret has been leaked on public GitHub by using HasMySecretLeaked from GitGuardian.
You can then submit part of that hashed secret to quickly check if the fingerprint matches any of the more than 20 million secrets we have identified from our years of research into public GitHub commits.
It is vital to understand the impact of a secret rotation, as sometimes the costs of downtime will be higher than the potential risks some types of secret leaks can bring.
Rotating a secret means invalidating the old secret and replacing it with a new one.
There are several things to consider when rotating a secret.
How you revoke any specific secret will depend on the system itself and the secrets management policies you have in place.
If you rotate a secret and simply hardcode the new credential again, you will be right back where you started.
Before you revoke anything, you need to have a plan to store and access the new secret properly.
If you are already using a vault system like Vault by Hashicorp, CyberArk, AWS Secrets Manager, or Azure Key Vault, and a single occurrence of the secret was just accidentally pasted into your code, then you are ready to proceed.
There is a chance the secret already exists in your shared vault system.
If you are going through a secret leak incident for the first time, it is time to formalize your incident response plan.
Revoking a secret without knowing the ramifications can turn a minor incident into a full-blown outage.
This Cyber News was published on feeds.dzone.com. Publication date: Sat, 02 Dec 2023 22:43:05 +0000