Secrets

There’s a few things I feel that are missing in the market:

  • The ability to upgrade in security incrementally or change security strategies after initial setup
    • A continual frustration I’ve seen is that even though a prototype app should be secure, the amount of infrastructure required to get a “fully enterprise grade” Vault RBAC+dynamic+best-practices secrets solution fully setup is massive; often dwarfing the actual implementation of the prototype itself.
  • Yet there seems to be no easy incremental path from an unencrypted env file to a full enterprise system that can span multiple teams, environments, and permission levels.
  • A secret-zero solution that doesn’t require vendor lock-in (eg from AWS) and that isn’t just adding a layer to hide the zeroth secret a little better
  • A secrets management solution that prioritizes developer ergonomics without forcing a PaaS-like product prematurely. Particularly the ability to work fully offline until/unless something else is needed
  • A solution that allows someone to start from scratch very easily/quickly, and makes correct secret usage easier than incorrect usage. Every solution out there currently involves highly manual, tedious, and error-prone steps that can (potentially) take an entire team of experts to maintain.

I’ve also seen (and had) analysis paralysis on implementing more robust solutions because clients were unable to present their security needs clearly enough and so it was deemed a waste of developer time to implement better security if it was just going to be thrown away after they figured out what they wanted.

resources: