Secrets and Sprawls 101

Adam Cheriki, Co-founder & CTO, Entro
March 7, 2023

What are secrets?

In the world of software development, secrets are a critical part of securing applications and systems. At their core, secrets are sensitive information that needs to be kept private. This includes passwords, API keys, security certificates, and other credentials that grant access to essential data and systems.

One reason secrets are so important is that modern applications are built using many different parts that must work together, including cloud infrastructure, databases, and external services such as Stripe, Slack, Splunk, and more.  Secrets are the keys that tie all of these different parts together and create a secure connection between each and every component.

To securely connect an e-commerce website to Stripe, the website needs an API key, which is a type of secret. This API key is used to authenticate the website and ensure only authorized requests are sent to Stripe. If the API key falls into the wrong hands, an attacker could access sensitive customer information.

Ok, so what do secrets look like?

Secrets can take many different forms, but they are typically long and random strings of characters that are difficult to guess. Some API keys might include prefixes or suffixes to help identify them, but most secrets are entirely randomized.


What is secrets sprawl, and why is it a threat?

To protect against unauthorized access to secrets, It is essential to have strong security practices in place. This includes encryption, access controls, and monitoring for suspicious activity. In addition, secrets should be rotated regularly to ensure that any compromised secrets are no longer valid.

When there is a security incident involving a secret, it means that someone unauthorized may have gained access to it. This is a big deal because secrets are often used to access other parts of the system. For example, if an attacker gains access to an API key, they can use it to access a database or other external service and create more secrets and permissions.

When a security incident occurs, responding quickly to limit the damage is essential. This might involve revoking the compromised secret, resetting it, or taking other steps to secure the affected systems.

In many cases, a security incident involving a secret will involve multiple occurrences of that secret across different solutions and repositories. Each occurrence represents a different location where the secret was identified. The sprawl’s magnitude correlates to the number of occurrences and the amount of work needed to redistribute the secret after it has been rotated.

This sprawl of secrets across different parts of the system is sometimes called  “secrets sprawl.” Secrets sprawl can be a big problem because it makes tracking and securing all secrets harder. If an attacker gains access to one secret, they may be able to use it to access other secrets scattered throughout the system.

To prevent secrets sprawl, having good visibility and control over the distribution of secrets is vital. This might involve using a secrets management system to centralize the different secrets storages and distribution of vaults and secrets. A secrets management system can help ensure that secrets are only accessible to authorized users and applications and are regularly rotated. To fix secrets sprawls requires a strong understanding of the threat landscape and a secrets management tool to help you find, secure, and resole the sprawls.

One of the biggest threats associated with secrets sprawl is the increase in the “attack surface.” The attack surface refers to the number of points where an unauthorized user could gain access to a system or data. Each time a secret is saved, sent, or stored, it is another point where an attacker could gain access to the secrets.

In addition, when secrets are scattered across multiple systems, ensuring they are adequately secured becomes harder. For example, if a secret is sent over Slack to a peer developer or saved within a confluence page as part of a manual, it’s exposed to everyone.


What can I do?

To minimize the risk of a security breach, follow good security practices when working with secrets. A secrets management tool can help you prevent secrets sprawl by centralizing and automating the distribution of secrets to various systems. This ensures that secrets are never hardcoded in source code, sent over email, or stored insecurely in unapproved locations.

Another essential aspect of secrets management is to monitor secrets usage for potential security breaches. This includes tracking who is accessing secrets and when and looking for unusual patterns or behavior. By monitoring secrets usage, you can quickly detect and respond to potential security threats.

Finally, it’s important to educate developers and other team members on best practices for secrets management. This includes teaching them how to securely store and use secrets and the importance of monitoring secrets usage.


In conclusion

Secrets management is a critical aspect of modern software development. As applications become more complex and rely on a growing number of independent building blocks, the management of secrets becomes increasingly essential to ensure systems and data security. Organizations can protect their sensitive data from devastating breaches and attacks by centralizing the distribution of secrets, regularly rotating secrets, monitoring secrets usage, and educating team members on best practices.

Contact us to learn more about securing secrets.

Reclaim control over your secrets

Get updates

All secret security right in your inbox

Want full security oversight?

See the Entro platform in action