Managing Team Secrets Effectively
Jakob Holderbaum works as a Consultant and Developer at ThoughtWorks to help companies on their way to a more agile and user focused way of developing software and/or hardware. He enjoys being a mentor to others and loves to learn through intensive collaboration.
Things you hear he saying or doing very often:
- Test Automation
- Pair Programming
- Test Early Approaches like TDD
“Every achievement in my life was supported and enabled by great mentors and teachers that supported me whenever it mattered most. I think it is every ones responsibility to give away the knowledge that was shared in order to enable others on their own way.” – Jakob Holderbaum
People did a great job in making our deployments secure. We already use automated and secured build pipelines and our Clusters and VMs are locked in.
But there is another integral part which often does not get the appropriate attention: the local developer workflow. Whenever we integrate with 3rd Party APIs or multiple services, credentials of any form are necessary. Surely saving these passwords in plaintext inside a github repository won’t fit the purpose. But would an on premise hosted wiki be safe enough? Or passing around a sticky note with a handwritten password on it?
Any secret that’s ever written to disk or on paper is another attack vector in the. Not just on production servers or continuous integration, but also in the developer workflow. If your unencrypted laptop gets stolen or your private source code repository appears to be not so private after all, you’d hope your project’s secrets wouldn’t be compromised.
In this hands-on talk I will show the way we approached this challenge in real world projects using a few simple and automation friendly commandline tools.