Secrets management continues to be an ongoing challenge in application security, as developers struggle with organizing secrets used in source code and to manage distributed systems and infrastructure.
The latest startup to address this space is Doppler, whose platform helps developers securely store, transmit, and audit secrets. The Doppler platform syncs secrets across devices, environments, and team members, so that developers don’t wind up sharing secrets on insecure platforms (such as Slack or email) or including them within .git and .zip files. The platform can also handle secrets rotation, and it sends developers alerts over Slack and Microsoft Teams to inform them when the secrets are changed.
Secrets refer to sensitive pieces of data such as tokens, encryption keys, API keys, and digital certificates. A survey by 1Password last year found that 65% of companies juggle more than 500 secrets, and 18% said they have “more than they can count.”
The secrets are scattered across source code, container and infrastructure images, and configuration files. Over 6 million secrets were detected in scans of public GitHub repositories in 2021, according to GitGuardian’s State of Secrets Sprawl 2022 report.
Adversaries routinely attempt to intercept these secrets in order to gain access to cloud environments, help with lateral movement, and access data in applications. Earlier this month, GitHub said adversaries were able to download private data from some organizations using Heroku and Travis-CI after stealing a handful of OAuth tokens used by those two platforms. Last year, attackers compromised Codecov and stole secrets belonging to Codecov’s customers. Those secrets were then used to compromise the customers.
1Password estimates the cost of a company losing control of its secrets at $1.2 million per year.
Security Management Is Key
Enterprises need processes in place to handle secrets management, such as inventorying what secrets they have, controlling access, sharing secrets safely with collaborators, and promptly revoking those secrets when they are exposed. It also needs to be scalable, considering the sheer number of secrets developers are using, and also not time-intensive.
In the same 1Password survey, DevOps and IT workers said they spend an average of 25 minutes each day managing secrets – which the company estimated to add up to an annual payroll expense of roughly $8.5 billion.
Secrets management is shaping up to be a fairly crowded market. HashiCorp Vault offers a vault for teams to securely store tokens, passwords, certificates, and encryption keys. 1Password acquired SecretHub last year, which was the basis for its 1Password Secrets Automation service. Cloud giants Amazon Web Services and Google Cloud offer AWS Secrets Manager and Secrets Manager, respectively. GitHub, GitLab, and Atlassian all offer various levels of secrets-scanning tools for their code repositories.
Then there’s Doppler, which recently raised $20 million as part of a series A funding round.
“The ability to securely store, transmit and audit secrets has never been more critical as one minor error can lead to catastrophic results,” Murat Bicer, a general partner at CRV, said in a statement. CRV led the funding round. “In a world where putting a single space in the wrong place can literally take down a company’s entire website, Doppler makes it easy to prevent leaks and outages with their developer focused approach.”