Summary Any application that communicates with other systems or services will at some point require a credential or sensitive piece of information to operate properly. The question then becomes how best to securely store, transmit, and use that information. The world of software secrets management is vast and complicated, so in this episode Brian Kelly, engineering manager at Conjur, aims to help you make sense of it. He explains the main factors for protecting sensitive information in your software development and deployment, ways that information might be leaked, and how to get the whole team on the same page. Preface Hello and welcome to Podcast.__init__, the podcast about Python and the people who make it great. When you’re ready to launch your next app you’ll need somewhere to deploy it, so check out Linode. With private networking, shared block storage, node balancers, and a 40Gbit network, all controlled by a brand new API you’ve got everything you need to scale up. Go to podcastinit.com/linode to get a $20 credit and launch a new server in under a minute. Visit the site to subscribe to the show, sign up for the newsletter, and read the show notes. And if you have any questions, comments, or suggestions I would love to hear them. You can reach me on Twitter at @Podcast__init__ or email hosts@podcastinit.com) To help other people find the show please leave a review on iTunes, or Google Play Music, tell your friends and co-workers, and share it on social media. Join the community in the new Zulip chat workspace at podcastinit.com/chat Your host as usual is Tobias Macey and today I’m interviewing Brian Kelly about how to store, deploy, and use sensitive information in your applications Interview Introductions How did you get introduced to Python? To begin with, how do you define a secret in the context of an application? What are the broad categories for solutions to secrets management? What are the different aspects of secrets management in the lifecycle of developing, deploying, and maintaining an application? How does the scale of a project or organization impact the strategies that are reasonable for secrets management? What are some of the most challenging aspects of secrets management at the different stages of usage? What are some of the common reasons that secrets management strategies fail? What are some of the vulnerabilities or attack vectors that development teams should be thinking about when working with credentials? What are your thoughts on versioning of secrets? Beyond storing and deploying sensitive information, what are some of the secondary concerns around secrets management that development teams should be thinking about? How does the use of multiple environments (e.g. dev, QA, production, etc.) affect the strategies used for secrets management? What are some of the most useful resources that you have found for anyone looking to learn more about this subject? Keep In Touch @brikelly on Twitter Blog brikelly on GitHub Picks Tobias The Inheritance Cycle Brian Donegal Ireland Links Conjur CyberArk Datawire Transpiler IDL CSRF (Cross-Site Request Forgery) Hashicorp Vault Continuous Integration Continuous Delivery TLS (Transport Layer Security) RBAC (Role Based Access Control) Terraform SQL Injection Secretless MFA Duo Security Kubernetes Summon OWASP Top 10 Configuration Management Puppet Chef Ansible SaltStack Immutable Infrastructure Conjur Blog Krebs On Security The intro and outro music is from Requiem for a Fish The Freak Fandango Orchestra / CC BY-SA