Secrets Management

When:Wed PM-1
OrganizersDominik de Smit Dominik de Smit
ParticipantsAjy Gupta Ajy Gupta , Chris Dobson Chris Dobson , Emma Fang Emma Fang , Felipe Zipitria Felipe Zipitria , Florian Buetow Florian Buetow , Foteini Karantoni Foteini Karantoni , Gabor Pek Gabor Pek , Jim Newman Jim Newman , Martin Rock-Evans Martin Rock-Evans , Sean Siford Sean Siford , Sean Turner Sean Turner , Sven Schleier Sven Schleier , Tom Ling Tom Ling , Zuhal Vargun Zuhal Vargun
Remote ParticipantsAndré Rainho André Rainho , Camilo Cota Camilo Cota , Konstantinos Damianakis Konstantinos Damianakis


This Working Session will focus on secrets management - a key element of DevSecOps.

Secrets are being used everywhere nowadays with the DevOps movement. API keys, database credentials, IAM permissions, SSH keys, certificates, etc. Many organizations have them hard coded in source code, littered throughout configuration files and configuration management tools, and stored in plaintext in version control.

There is a big need in the centralizations of secrets to improve the security posture and preventing secrets from leaking and compromizing the organization. Most of the time, services are sharing the same secrets that make identifying the source of compromise or leak very challenging.

Because technologies like Containers, Kubernetes, Cloud Native are in full swing, the need for guidance around proper secrets management is at hand. This session aims at starting a new OWASP Cheat Sheet around secrets management.


  • Identify best practices for Secrets Management (containers, cloud (AWS, Azure, GCP), applications, etc)
  • Provide guidance in how to do proper secrets management across different environments
  • Agree what to include in an OWASP Cheat Sheet


This Working Session will publish:

  • A set of best practices for DevSecOps engineers
  • The start of an OWASP Cheat Sheet for secrets management


  • DevSecOps engineers
  • Security professionals
  • CISOs
  • Developers
  • Operators


Register as participant

To register as participant add Secrets Management to either:

  1. the sessions metadata field from your participant's page (find your participant page and look for the edit link).
  2. or the participants metadata field from this git session page

Back to list of all Working Sessions