1Password boosts developer security with new set of tools
A password manager maker is trying to encourage software developers to adopt more secure secrets management with new features added to its flagship product.
Launched as Developer Tools, 1Password said the new features will help developers easily and securely generate, manage and access secrets in their normal workflows.
The tools will also help simplify complex processes and improve security practices to ensure data protection, without slowing down the development pipeline, he added, as well as providing developers with secure access to secrets whose they need wherever they are, whatever device they use. use.
“Historically, one of the greatest constraints to secure coding and operations has been the tools to securely manage secrets – the passwords and keys needed to securely interconnect components,” observed Casey Bisson. , product and developer relations manager at BluBracket, a code provider. security solutions in Palo Alto, CA.
“In too many cases,” he told TechNewsWorld, “these secrets are stored in code. But a coded secret is a spoken secret.
Citing a study by 1Password, its product manager and general manager of emerging solutions Akshay Bhargava told TechNewsWorld that one in four employees of IT DevOps companies have secrets in 10 or more places and have shared them with colleagues using passwords. unsecured channels, such as in an email or Slack message.
He added that one in three DevOps IT workers say they will share secrets over insecure channels if it helps them get their jobs done faster.
Additionally, he continued, 61% of projects are delayed due to mishandling of secrets.
Easy SSH key management
New features in the Developer Tools offering include SSH Key Management, which allows developers to store and use SSH keys with just a few clicks.
To avoid errors, 1Password for the browser will automatically populate a developer’s public keys into popular sites, including GitHub, GitLab, BitBucket, and Digital Ocean.
Then, with an integrated SSH agent, users can submit code to GitHub and authenticate other SSH workflows in a terminal by simply scanning their fingerprints, increasing security with less effort.
Developers no longer need to remember or enter key passwords, manually copy keys to new devices, or store files on their disk, avoiding weak SSH key encryption and other security risks. security.
“All the hassle of exchanging keys on different machines, adding and removing agent keys, entering passphrases from keys, is now just one biometric authentication “said Marcel Kersten, software developer at ComLine GmbHd, in a statement.
New CLI and Secrets Vault
A new command-line interface, with improved syntax and new biometric unlocking, lets developers quickly manage secrets, provision users, or automate workflows in a terminal without leaving their dev tools or typing. passwords manually.
The developer tools also simplify key management with CLI injection and runtime commands, allowing developers to code with secret credentials that override the actual API keys in their vault at runtime.
“The new 1Password CLI has saved our web development team time by synchronizing passwords and API keys much more securely than before,” said Craig Haseler, project manager at TechSource, in a communicated.
“I highly recommend any web development team to consider using 1Password’s CLI tools to enhance security and efficiency,” he added.
Encrypted vaults to store secrets so that instead of hard-coding them or storing them as insecure plain text, in configuration files or spreadsheets, developers can manage and access their secrets in one place in their favorite tools and workflows.
Storing secrets in encrypted vaults and as one of many default item types (API credentials, AWS account, database, server, or SSH key) will help prevent breaches caused by secret leaks.
Developer tools also facilitate collaboration by providing secure access to secrets within a team.
1Password’s new tools aim to encourage developers to better manage secrets and discourage them from taking shortcuts that can create security risks.
“It’s not so much about taking shortcuts, it’s about finding a way to work within the deadlines and trying to be as efficient as possible,” explained Daniel Kennedy, director of research for the security of the and Networks at 451 Research, part of S&P Global Market Intelligence. .
“Organizations install all kinds of well-meaning process, code analysis and other application testing tools, and if they create a lot of friction in the daily lives of developers, to the point where they think the burden outweighs the value, they have a lot of agency, sometimes hidden agency, to get around those hurdles,” he told TechNewsWorld.
“Developers are not paid to provide security. They get paid to provide functionality,” added John Bambenek, principal threat hunter at Netenrich, an IT and digital security operations company in San Jose, California.
“Often they operate under tight deadlines to rush to market, which means any delays, even for security reasons, can be overlooked,” he told TechNewsWorld.
Lipstick on a security pig
Traditionally, security has been seen as a developer drag. “That’s not necessarily the case and newer vendors – real DevSecOps vendors – have gotten this and developers love using them because they actually speed up development, not slow it down,” observed DevSecOps evangelist Larry Maccherone. DevSecOps transformation at Contrast Security, a manufacturer of self-protection software solutions in Los Altos, CA.
“However, most security tool vendors are just DevOps lipstick on a traditional security pig,” he told TechNewsWorld.
DevSecOps has created a sense of shared responsibility in the development world, said Josh Bressers, vice president of security at Anchore, a software development security company in Santa Barbara, Calif.
“If you look at more traditional development models, you had development, you had testing, you had security, you had all these different groups with slightly different goals.” he told TechNewsWorld. “Anytime you have different groups with different goals, you get different results. In DevSecOps, where you share responsibility, the goals are more aligned. »
“When you consider how most companies initially approached building secure code, which was to do analysis on huge code bases and then massive cleanup projects, we’ve come a long way,” said added Kennedy.
“Making security happen when a project is about to go into production with hundreds of vulnerabilities to clean up is not an effective approach to application security,” he continued. “If analytics can be performed incrementally at appropriate points in a development pipeline, it’s a much less burdensome way to ensure apps are built and updated with due consideration for security. “