Practice Secrets Management in Kubernetes With OWASP WrongSecrets and Okteto
Shipping secure applications is essential for any organization! Security should be a priority, as the consequences of a breach are often dire and tough to recover from. But securing your applications has gotten a lot more complicated over the last few years since the adoption of containers and Kubernetes.
Application Secrets is a broad term that could refer to anything essential for the application's working, but you would want it to stay secret. Often these are API keys, database passwords, and other such things. If someone were to get access to these, they would have the potential to cause a lot of damage and even risk the privacy of your users! That is why keeping your secrets secure and safe is critical, even during your application development.
Secrets can be tricky to handle. Often, you think you have your Secret stored securely where no one can access it, only to learn the hard way that that wasn't the case. Secrets management as it is was a tough job, but ever since we shifted to microservices and container orchestrators - things have gotten a lot more tricky!
Even though it has been a good few years since we adopted these technologies, I feel we still keep seeing these breaches because of skill gaps. This world of Kubernetes was new for everyone, so it's no surprise that we did end up making mistakes in securing our Application Secrets. But to avoid making the same mistakes again and instead learn from them, we need to invest in tools and projects which help bridge this knowledge gap for developers.
If you're new to Kubernetes and looking for a comprehensive guide on the basics, check out our Kubernetes for Beginners article!
The best way to prepare for something is to practice in an environment as close to the actual scenarios you'll be facing. OWASP's WrongSecrets project has a similar ideology. WrongSecrets is an open-source project containing exercises in finding Secrets that have NOT been stored securely. It's an excellent way to learn Secret management in cloud-native applications.
The project's intent is that after going through these exercises, you'll have a better idea of where to look for misconfigured Secrets in your application. The challenges will help you understand better how you've been storing Secrets and evaluate if you need to change your approach towards secrets management. The best part about the project for me is that all exercises are based on actual misconfigurations that have taken place. The maintainers (who are amazing people to talk to, by the way!) have poured their years of valuable experience trying to secure Secrets into the project to ensure others don't end up making the same mistakes.
You can check out the project at: https://github.com/OWASP/wrongsecrets.
The repository provides you with a Java application for which secrets have not been stored properly. These misconfigured Secrets are present in a bunch of different environments, like would be the case for an actual application - in Docker files, Kubernetes manifests, etc. Each challenge holds a lesson in secrets management and represents a real scenario for you to learn from.
To make it easier to run their Kubernetes-based challenges, The project provides users with an option to run them on Okteto. The benefit of using Okteto is not having to spend time configuring a cluster and getting right to the fun parts of solving the challenges! Okteto also makes it easier to deploy the application and spin up the environment with a single click of a button without installing tools like kubectl and downloading the kubeconfig.
Challenge 6 was an excellent learning experience. We often store important data as Kubernetes Secrets and think it's all secure. Still, we need to realize that we also need to configure RBAC around these secrets so that only the processes that require the Secret value can access it and not anyone else! Give them a try, and I guarantee you there's a lot you will learn about secrets management.
Providing developers with tools that allow them to be sure that the code they're writing is secure earlier in the development process can be a game-changer if you're looking to secure applications. Okteto enables this by providing developers with a production-like environment to write code in. That means the dev environment now has all the Secrets configured the same way they would be in production. This shifts left the security and allows developers to catch any potentially vulnerable code they write much earlier in the dev cycle. Give it a try to see how Okteto's Cloud Development Environments change the game!