Original Article

There’s always a balancing act when it comes to building and deploying cloud-native applications in environments like Amazon Web Services (AWS). The whole point of moving production to the cloud is that developers can move faster than ever before, innovating and shipping new features on a daily basis. But that same speed can be an organization’s downfall if development outpaces security processes and accidentally exposes secrets or other credentials to potential attackers.

On the one hand, you’ve got 71% of organizations developing and deploying cloud-native apps, according to the Enterprise Strategy Group’s (ESG) 2023 Technology Spending Intentions Survey. On the other hand, 70% of organizations from another ESG report believe they have more than 50 secrets embedded just in their Git repositories, and 31% experienced a cybersecurity incident where secrets were stolen from a source code repository. Hard-coded secrets or secrets that aren’t properly rotated or revoked can become vulnerabilities that cyberattackers can exploit to gain access to an organization’s critical systems and resources…

The Cyber Hut Comment: A consequence of having a cloud-first strategy for both infrastructure management and applications deployment, is how to handle secrets. Secrets for APIs, microservices and any non-person related identity. Where do they get stored (at run time and at rest), how are they generated, issued, revoked and management?