Nov 5, 2020
Secret storage and proliferation represent major risks to secure enterprise software development but secure secret management is essential for most authentication mechanisms. Despite best efforts at educating engineers to use secret management solutions, secrets are consistently stored improperly (e.g. in source code). Additionally, using secrets to implement auth controls is often non-trivial and pushing that work to product developers increases the likelihood of misconfiguration. We present an architecture in which a single gateway brokers connections to and from external services. The gateway can be internally reached using common internal authentication mechanisms (e.g. mTLS or “secretless” mechanisms based on cloud identities) so that developers can exclusively consider one type of authentication mechanism. By having one gateway built and managed by the security team we eliminate many of the common cases of developers storing secrets which significantly reduces secret management risk. Additionally, our approach abstracts authentication implementations, enforces least privilege, provides centrally auditable access controls, and reduces developer complexity. This session shares lessons learned and an open source design for Snap Inc’s external service gateway.
Inclusive product security conference that attracts builders and defenders from around the world.
Total of 1 viewers voted for saving the presentation to eternal vault which is 0.1%
Presentations on similar topic, category or speaker