HashiCorp’s Radar Scans Repos, Commits and Pulls for Leaks
SAP Principal Engineer Dale Ragan wanted to achieve two goals with a security management solution:
- He wanted to hide the plumbing of security from developers.
- He wanted to reduce the friction of signing PKIs for his engineers within Concur, SAP’s cloud-based travel and expense management solution. It runs in a service mesh with Kubernetes.
“You had a perfect slide yesterday where you were showing underneath the kitchen sink — we wanted to remove that,” he told HashiCorp co-founder and CTO Armon Dadgar Wednesday, during Dadger’s keynote on Tuesday’s launch of HashiConf in Boston. “We wanted to enable our engineers for that self-service model and remove all the underneath stuff that they don’t care about. They just want to be able to take a certificate, call their dependency and get a response.”
But the free version of Vault, which is a security management solution that protects sensitive data, was “like the Wild West,” in that it wasn’t prescriptive, he said. Engineers would use it … or not.
SAP’s use case highlighted two new features in HCP Vault Secrets — auto-rotation, which is now generally available and automatically changes logins and certificates on a scheduled basis, and dynamic secrets, which will generate single-use passwords and logins every time and is in public beta. The company also announced dynamic cloud credentials for HCP Terraform is now in public beta and supports secrets lifecycle management for enterprises.
“HCP TerraForm doesn’t need to use long-lived cloud credentials,” Dadgar said. “Instead, it can use HCP Vault Secrets as a broker to generate a dynamic credential every time it needs for a plan-apply cycle. And that way, we can move away from long-lived credentials, move to very short-lived, tightly scoped, temporary credentials, and not have to worry about persistent access.”
So far, SAP has used the tool to sign over 2,100 certificates and retrieve 8,000 secrets, taking around 12 to 14 database credentials.
“You’re talking 10s of 1000s certificates a day, 1000s of database credential rotations on a monthly basis. For a lot of organizations, what we see is that those are manual activities, right?” Dadgar said to Ragan. “How much developer toil, effectively, did you manage to offload?”
“It’s countless hours,” Ragan responded. “You can’t even make a number up.”
Loose Lips Sink Ships and Other Problems With Secrets
During Dadgar’s keynote Wednesday at HashiConf, he focused on the company’s new security lifecycle management offerings. But first, he outlined what he sees as the three stages of security:
- Reactive, which gives developers carte blanche but doesn’t remove risk, and puts security teams in the position of playing Whac-A-Mole with vulnerabilities;
- Gatekeeping, which locks down developers and restricts their autonomy but reduces risk;
- Security is integrated into automation, which represents the best of both worlds by making security automation within developers’ workflow.
“We want the developer self-service,” he said. “We want application teams to have the freedom and autonomy to deliver their apps, but we want security integrated into that process versus trying to bolt it on afterward.”
One problem that has to be addressed, though, is what he called “secret sprawl,” which is where credentials end up everywhere — potentially in Git repositories, Slack, email and even Excel spreadsheets.
To address that problem, HashiCorp introduced Vault Radar in an early access program last fall. As of this week, it’s available in public beta. Radar connects to all the different collaboration systems and scans them continuously to identify and find secrets. The agent runs locally on an organization’s private networks, whether in the cloud or an on-premises data center, Dadgar added.
It also scans as developers interact with version control, starting with the developers’ workstation before they’ve done a commit, he said. It scans before pull requests as well and can scan existing repositories to find secrets.
“One of the things we’ve consistently seen throughout the private beta was, if you think we’re going to find 500 credentials, I promise we’ll find 5,000,” Dadgar told the audience.
Another new feature for Vault Secret is correlation, which basically maintains an index of all secrets and credentials that you have in Vault. It works with with Radar, which as it scans for secrets, compares the findings against that Vault index, he said.
“If we can then correlate that into access logs, we can get a much better sense of where did that secret come from,” he said, which can help managers tell managers identify practices that might put the organization at risk and provide prescriptive feedback about how to avoid security issues in the future.
To that end, HashiCorp introduced remediation guides to support prescriptive feedback. They are surfaced alongside any secret discoveries, he added.
“You can actually provide users very specific guidance on how they should remediate that,” he said. “You might say, for an Amazon secret, we’re going to do it this way. For a certificate, we’ll do it a different way.”
Vault 1.18
Vault 1.18 was released Tuesday, with enhancements to ease of use, reliability at scale and support for industry standards PKI CMP V2 and IPV6.
One ease-of-use feature added over the last few releases is event systems.
“Rather than having to have clients pull vault to detect any changes, you can actually subscribe to an event screen when a secret is created, updated, deleted, revoked, etc., and this allows you to react and realize these things,” he said. “For example, the Vault secret operator for Kubernetes watches these event screens and can proactively trigger rolling deploys if you change the secret that an application depends on.”
Correction Oct. 21, 2024: Fixed Armon Dadgar’s last name in graph where it was misspelled below the subtitle, Loose Lips Sink Ships and Other Problems with Secrets.
