Enabling Engineering Teams Through Developer-First Secrets Management

Secrets management is a challenge that every organization must tackle, from large enterprises to small development teams. The larger the organization, the more secrets tend to sprawl and the more engineering teams feel the friction or toil in organization processes. While a number of tools and products exist to provide solutions to secrets management, each will incur its own security or logistical tradeoffs. While there is no universal solution for secrets management that every organization should adopt, there are common patterns that most organizations evolve through. For enterprises that want to integrate security controls into an engineering organization of hundreds of developers, a pattern modeling a developer-first security approach is essential to match the speed and scale of modern businesses.

Currently, “shifting security left” is the hot trend to scale security activities into engineering practices in modern organizations. Shifting security left attempts to improve security feedback lifecycles by inserting security activities earlier in developer workflows. The goal is to enable developers to catch security problems early and fix them when it is “cheaper” – during development, before the problem reaches the production environment.

However, for many organizations the shift left model is not producing meaningful results. Security teams are attempting to institute a cultural shift within engineering organizations without making requisite cultural changes inside the security program. They are certainly adding a lot of new security work for engineering teams – but these activities are not meaningfully impacting the risk posture of the business.

Shift-left security organizations abdicate ownership of the logistical complexities of integrating security initiatives into development workflows. They throw security signals to developers and make engineering teams accountable for figuring out how to juggle these concerns alongside their product, testing, and infrastructure responsibilities. Nick Liffen recently outlined the challenges this mindset creates for developers in the GitHub Universe 2022 talk, “Shifting left vs developer-first security.” Kelly Shortridge describes this practice as “security obstructionism.” Security practices that simply shift toil work from a security team onto an engineering team are an unfortunate corruption of the shift left mentality. Focusing security initiatives and products around a developer-first approach are essential for security initiatives to match the speed and scale of modern businesses.

A flaw I’ve seen with many well-intended shift left approaches is that they seek culture shifts solely within engineering and do not apply the same mindset shift within security. The security program should focus less on, as Kelly Shortridge describes, “security outputs as a proxy for progress” and instead on the needles that materially move the risk posture of the organization. A business risk is any exposure an organization has to factors that will lower its profit or lead it to fail. A security risk is, similarly, a vulnerability that threatens the company’s ability to achieve its objectives, including losing customer trust. Therefore, security practices that lower the risk posture of the organization while helping the business achieve its goals are crucial. A powerful way to help ensure security activities meaningfully improve the business in this capacity is to prioritize the contextual impacts when planning security initiatives.

Shift-Left Secrets Management

Developer-first secrets management

OIDC support in late 2021 from Action workflows provided us an opportunity to develop a new, contextual paved path to help developers transition pipelines to GitHub Actions while removing the friction of credential management. Read our follow-up article to learn how DigitalOcean provides engineering teams with a developer-first approach to fine-grained RBAC while removing “secret zero” with GitHub OIDC and HashiCorp Vault.

Ari Kalfus is the Manager of Product Security at DigitalOcean. The Product Security team are internal advisors focused on enabling the business to safely innovate and experiment with risks. The team guides secure architecture design and reduces risk in the organization by constructing guardrails and paved paths that empower engineers to make informed security decisions.