SE Radio 722: Dwayne McDaniel on the Engineering Challenges of Secrets Management

2026-05-27 · Source: Software Engineering Radio - the podcast for professional software developers · Field: Technology & Digital — Cybersecurity & Data Privacy, Software Development & Engineering, Cloud Computing & IT Infrastructure · Depth: Intermediate, extended

Summary

Dwayne McDaniel, developer advocate at GitGuardian.com, discusses the engineering challenges of secrets management, defining "secrets" broadly to include API keys, tokens, and machine identities, not just passwords. He highlights "secret sprawl" across the SDLC and the alarming scale of leaks, with 28.65 million hard-coded secrets pushed to public Git repos in 2025, a 34% increase from 2024. Credential abuse and phishing accounted for 38% of 2025 attacks. Common leak points span code repositories, logs, CI/CD pipelines, containers, and SaaS integrations, with cloud, DevOps, and AI tooling amplifying risks. Recent supply chain attacks, including those affecting pyPi, Light LLM, and Cisco, underscore issues like poor access control and long-lived credentials. Modern solutions emphasize short-lived credentials, secret scanning, and identity-based approaches like OWASP NHIR and SPIFFE/SPIRE.

Key takeaway

For Security Engineers and DevOps teams managing critical infrastructure, the escalating rate of secret leaks and supply chain attacks demands an urgent re-evaluation of authentication strategies. You should prioritize transitioning from long-lived, static credentials to identity-based, just-in-time access mechanisms like SPIFFE/SPIRE. Implement continuous secret scanning across all text-containing assets and establish a clear governance plan to inventory and secure your most critical secrets, significantly reducing your blast radius against sophisticated, machine-speed attacks.

Key insights

Modern systems face escalating "secret sprawl" due to expanded definitions of secrets and rapid development, demanding a shift to identity-based, just-in-time access.

Principles

• Any plain text data granting access is a secret.
• Increased code and infrastructure amplify secret leak risks.
• Eliminate long-lived, standing privileges to limit blast radius.

Method

Implement a governance plan starting with a comprehensive secret inventory across repos, vaults, and SaaS. Prioritize critical systems, then transition to just-in-time, short-lived, identity-based access using solutions like SPIFFE/SPIRE.

In practice

• Rotate production credentials if using compromised packages like Axios.
• Utilize pre-commit hooks or local secret scanning tools.
• Encrypt local configuration files with tools like SOPS.

Topics

• Secrets Management
• Supply Chain Security
• Identity-Based Authentication
• SPIFFE/SPIRE
• AI Coding Assistants
• Credential Abuse
• DevOps Security

Best for: CTO, MLOps Engineer, VP of Engineering/Data, Software Engineer, Security Engineer, DevOps Engineer

Related on AIssential

• Trump administration to ask US AI firms to voluntarily submit models for cybersecurity tests — The U.S. government seeks voluntary AI model cybersecurity testing from firms like OpenAI and Google via CAISI.
• Anthropic scales Project Glasswing to 150 partners across 15 countries to hunt critical software flaws — AI models like Claude Mythos can rapidly identify critical software vulnerabilities, posing both defensive and offensive capabilities.
• Your JWT Is Lying to You - The Authorization Problem Nobody Solves Correctly — JWTs alone are insufficient for dynamic, fine-grained authorization; external policy engines are essential for scalable security.
• Hackers hijacked high-profile Instagram accounts by simply asking Meta's AI chatbot to change the email — Meta's AI support chatbot was exploited via prompt injection to hijack Instagram accounts, bypassing 2FA and automated identity checks.
• Chrome stops hackers from stealing your browser cookies now - how its new security feature works — Device Bound Session Credentials (DBSC) cryptographically ties browser cookies to a device's security chip, preventing their use if stolen.
• Reference your own AWS Secrets Manager secrets in Amazon Bedrock AgentCore Identity — Amazon Bedrock AgentCore Identity now allows referencing existing AWS Secrets Manager secrets for enhanced credential governance.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Software Engineering Radio - the podcast for professional software developers.