×

Remote Training (Dec 7-8) : DevSecOps Masterclass 2020 Discoverer Edition Register Now

Secrets Management

Learn how to manage sensitive information hosted in both cloud-native and traditional server environments

Training Objective and Course Overview

Secrets are an integral aspect of Cloud-Native Application Environments. Secrets like passwords, API Keys,
Encryption Keys, secure configuration parameters are critical for applications to function. In addition, secrets
are a pathway to sensitive information, including PII, ePHI, Financial Information and so forth. With the rise of
Cloud-Native Deployment Environments like Public Cloud IaaS, Serverless Deployments, Containerized
Deployments with Kubernetes and so on, secrets end up being largely the opposite of what they are meant to
be. Secret sprawl, hardcoded secrets, secrets in source code repos are some common issues that are seen
within organizations. 

The aim of this program is to delve deep into managing secrets and sensitive information across various
technologies that are popular with Cloud Native environments.

What attendees will learn

Secrets of Secrets Management is a training that delves deep into managing secrets and sensitive information across various technologies that are popular with Cloud Native environments. We will look at some common security mistakes and antipatterns and explore the various tools, techniques and approaches to securing secrets and sensitive information in cloud-native enviroments like AWS, Kubernetes and traditional server environments. This program will also do a deep-dive into GitOps and secrets management, including Dynamic Secrets in DevOps pipelines and CI/CD Environments.

Hashicorp Vault has emerged as one of the most popular and versatile Secrets Management Tools out there. V ault is a leading Open-Source Secrets and Key Management product that comes with a plethora of capabilities like comprehensive secrets management, access control, key management, encryption, and audit logs. In this class, we'll be doing a hands-on deep-dive into managing secrets and encryption with Hashicorp Vault. You will be working to deploy Vault, learn its many features and integrate into real-world applications. This training is meant to be practical and heavily hands-on. 

Training Variants

  • Intro to Secrets Management - A Case for a structured approach to managing secrets
  • Secrets vs Sensitive Information - A Distinction and varied Threat Model
  • Secret Management Fails
  • Hands-on view of Vulnerable Secrets Management Implementations
  •   Secrets in Source-Control and how Git never forgets => A detailed technical and hands-on view of why secrets are so hard to erase from Git repos
  •   Secret sprawl from insecure Infrastructure-as-Code Implementations => Hands-on examples with Terraform State files, provisioning scripts, env files, Dockerfiles, Kubernetes Yamls and so on
  •   Finding secrets with tools like TruffleHog, Git-Secrets, Kubesec, Google and Git Dorks, Shodan, etc (Red Team/Pentest Perspective)
  •   Finding Secrets in Runtime Environments: Leveraging Application or IAM flaws to find secrets and leverage secrets for Information Disclosure and Elevation of Privileges:
  • Centralization of Secrets
  • Access Control Management to Secrets
  • Dynamic Secrets
  • Encryption at rest and in transit
  • Auditability of secrets management
  • Introduction to HashiCorp Vault and its API
  • Dynamic Secrets with Vault => Using Dynamic Secrets for short-term leases for databases
  • Authentication and Access Control Management to Vault
  • AWS KMS Hands-on and Deep-Dive
  •     Key Rotation of Amazon KMS with Lambda functions
  •     AWS Secrets Manager Deep dive
  •     AWS Systems Manager - SSM for Secrets Management
  •     Detecting compromised credentials AWS GuardDuty
  •     Integrating Vault with AWS KMS
  •     Leveraging CloudTrail and Cloudwatch for Auditing KMS and Secrets Management
  • The misnomer of “Secrets” in Kubernetes
  •   Hands-on secrets management for Kubernetes Secrets Management Solutions:
  • Protecting Secrets in Git Repos:
  •   Hands-on: Secure-er CI/CD Pipelines with Dynamic Secrets with Jenkins/Gitlab
  •   Hands-on: Secure-er Cloud Native CI/CD with K8s + secrets
  •   Leveraging Docker and Serverless to identify secrets where they aren’t supposed to be
  • Intro to Secrets Management - A Case for a structured approach to managing secrets
  • Secrets vs Sensitive Information - A Distinction and varied Threat Model
  • Secret Management in GitOps fails
  • Real-world incidents that were caused extensively by bad secrets management
  • Centralization of Secrets
  • Access Control Management to Secrets
  • Dynamic Secrets
  • Encryption at rest and in transit
  • Auditability of secrets management
  • Introduction to HashiCorp Vault and its API
  • Deploying Vault in Prod
  • Managing Secrets with Vault => Key-Value Secrets
  • Encryption, Key Rotation and Rewrapping with Vault Transit Secrets Engine
  • Dynamic Secrets with Vault => Using Dynamic Secrets for short-term leases for databases
  • Authentication and Access Control Management to Vault : Secure Token Generation with Vault
  • Vault Audit Capabilities
  • Vault Seal/Unseal concepts

Conference Features

Our Application Security and Cloud Security programs is a regular feature at marquee application security conferences across the world.

Frequently Asked Questions

What are the pre-requisites to take this course?

Basic understanding of Cloud Services (AWS) and DevOps (Principles, Tools and High-Level Concepts). Working knowledge of Containerized Deployments and Kubernetes. Familiarity with the Linux command line is preferred.

Who is this training aimed at?

The core objective of this course is to help product teams keep sensitive information secure. This course would therefore be beneficial to Developers, DevOps professionals, Info/App Security professionals, security architects, security engineers especially AppSec Engineers.

Dates Coming Soon !

Secrets of Secrets
Masterclass

2 Days
(7 Hours per day)

$850

Dates Coming Soon ! 
Get Notified

Would you rather have a private training conducted for your team? Enter your details here


    By checking this box you agree to receive communication on we45's events, product or solution offerings by email to your contact information.

    You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

    By clicking submit below, you consent to allow we45 to store and process your personal data to provide you the requested information.