Never did I realize how insecure my applications, and probably the vast majority of the applications I use, were until I started my training for Vault. You can look back at my previous article on the scalability of key vault in Azure. This alone shows the lack of secret management within the cloud and how it is almost a second class citizen. How am I suppose to secure sensitive data when I’m limited to 2000 transactions in 10 seconds? Technically this equates to 200 transactions per second. If I scale out to 200 instances running I’ve theoretically hit my maximum if they each needed to grab a single secret (aka password) on startup.

One of the issues is that passwords are not the only thing that are secrets. Basically anything that you do not want someone else to have is a secret and should be dealt with through secret management. Are you storing social security numbers or credit card numbers? They better be encrypted if you are. How are you storing the encryption keys for these items? Are they stored within configuration files? Are those configuration files spread across you entire application domain? How often are they rotated? Speaking of rotating keys - how often are your database passwords rotated? Do all of your applications share database passwords? Do all of your instances of an individual application share the same database password?

This was an old draft that I published out. Please stay tuned to future details of HashiCorp Vault and more details of what it can provide for the security of your application. I believe all developers should also be aware of it and what it provides in order to create secured software.

Earlier in August of 2020 I became a HashiCorp Certified: Vault Associate.