DevSec For Scale Podcast – Securing Secrets w/ Conor Mancone, Cimpress

In this episode of the “DevSec for Scale” podcast, host Jeremy Hess is joined by Conor Mancone, Principal Application Security Engineer at Cimpress. Conor discusses the crucial topic of credential rotation and the challenges associated with managing access credentials within application environments. He highlights a common dilemma teams face: how to change passwords without disrupting applications. This issue is particularly relevant in large organizations like Cimpress, which consists of 13 businesses and thousands of developers, each potentially using different technologies and methodologies for secrets management.

Conor shares insights into the secrets management challenges faced at Cimpress. He notes that while many teams rely on solutions like AWS Secret Manager, these are not always feasible for all environments, especially when dealing with on-premises infrastructure or various cloud services. The decentralized nature of Cimpress means each team must find solutions that work best for their specific needs. Conor’s team aims to provide guidance, tools, and managed security services to support these diverse requirements.

One of the significant contributions Conor has made is advocating for the use of temporary, dynamic credentials, a practice he refers to as “credential-less” application management. This approach enhances security by ensuring that credentials are short-lived and reduces the risk of breaches due to stolen credentials. Conor explains that while setting up such a system might seem daunting at first, it simplifies long-term credential management and enhances development efficiency. By integrating applications directly with a secret manager, teams can automate credential rotation and minimize the chances of security lapses.

Conor also elaborates on the practical benefits of this system, such as easing the process of giving developers access to production databases or on-prem infrastructure without permanently storing sensitive credentials. He shares an example of how Cimpress uses Akeyless’ capabilities to automate SSH credential issuance and database access, highlighting how this integration streamlines development workflows and enhances security. By moving away from environment variable-based credential storage, teams can significantly reduce their vulnerability to supply chain attacks and other security threats.

In conclusion, Conor emphasizes that while managing secrets effectively is a complex task, adopting a dynamic, automated approach can lead to substantial improvements in both security and operational efficiency. His insights offer valuable guidance for any organization looking to enhance their secrets management practices while minimizing disruption to their development processes.