I’m A Machine, And You Should Trust Me: The Future Of Non-Human Identity

I'm a machine and you should trust me. The future of nonhuman identity. Dwayne McDaniel is handling that for us. Is Dwayne here or is he stepped out? >> Is he there? Oh, there he is. Thanks. >> Thanks. Yay. Let's hand over to Dwayne. Thanks. >> Give it up for Demetri, everybody. Awesome. Thank Thank you all for being here. And wow, I can't believe it's already here. I can't believe that Bides Las Vegas has already snuck up on us. It feels like it was just a couple months ago that I was so exhausted after the best week of Hacker Summer Camp I've ever spent in my life and here we are again. And I'm so honored and privileged to be here. Um,

I'm also speaking tomorrow and I'm just profoundly profoundly grateful to be here. I just kind of want to say that up front. If you want these slides, I highly recommend it because I talk fast. I have 87 of them and I have 45 minutes. I don't know how to pair down. Not to be ironic, but don't know how to pair down things. I miss pair. I wish he was here this year. Um, so the the tiny URL, that's where you can get them. I don't QR code things. So, just tiny URL preview if you want. That's why I like their service. You can preview things with that. Let's get going. I need a volunteer who is willing to do

a stupid little thought experiment with me. Just raise your hand. You You don't have to get up. Just somebody audience. Anybody right there front row since you raise your hand first. All right. Ring ring. Yeah. Pick up your phone. >> Hi. Uh this is your power company and it's summer. If you stop using as much electricity, we're going to give you a discount on your phone bill. Here's a 1800 number. You can check it on the website. Uh give us a call back if you got any questions. Would you trust that phone call? >> I would because I get that phone call all the time. I called them back one time. It's like, "Hey, is this real?"

Like, "Yeah, we give discounts for using less less uh less power in the summer." Makes sense. It's like, but there's like it's plausible, right? There's a plausibility to that overall versus ring ring. Hello. Congratulations. You've won an all expenses paid trip to the island dream of your choice. All we need to get started is your credit card to hold your reservation sir. >> Uh, no thank you. >> Yeah, you wouldn't trust that. Your gut instincts are dead right. And thank you for being brave. Here is a home copy of a game I made called Spot the Secrets as an exercise. We can talk about it later. See, that's what you get for being brave, people. I also have prizes later,

so be be aware. [sighs and gasps] So, that's a human. Humans have this fundamental built-in BS detector that says, "Wait a minute, something don't sound right." Or, "Wait a minute, you gave me something that sounds a little too good to be true, but I can verify that. There's a number. It matches what I can find online. I can call it back. Huh. Okay. I will trust that based on I can verify it. Computers don't work that way. If I am a person that writes a API request that says give me all the users and the bearer token checks out, guess what? That resource is going to give me all the users because the bearer token

checked out. There's no MFA. There's no gut check. And that's the fundamental difference between a human and a non-human. Humans aren't just a series of running processes. And for our intents and purposes, nonhumans are. Why am I giving a talk about nonhumans? Well, because in 2022, Cyber Arc said, "Hey, we're outnumbered in the identity factor uh by nonhumans by about 45 to one. For every human you need to authenticate, there are 45 nonhumans that have some kind of authentication meth mechanism going on that gets to a resource or something. Here's 2025. We think it's closer to 100, but we don't really know. Research says it's somewhere between 70 and 150. Uh depending on which report you read,

there's a bunch floating out there because a lot of people are obsessed with this right now. But we live in the world of Agentic AI now. And I don't know about you, but I have never seen us deploy this much stuff this fast in my entire life. But again, I come from a old school days of like Drupal and FTP where you you rolled out once every 3 weeks. That was considered really fast. I remember 6 months was like, hey, that's pretty normal to release rate. Now it's like you're not releasing every 3 seconds. Like what's wrong with you? But what are we releasing? We're releasing more of these. So that's why I'm giving this talk is to

can we get a handle on this? Can we get ahead of this? And I think the answer is probably, but we got to act and we got to act quick and we got to figure out how to talk to each other about this. So briefly, I'm Dwayne. I came here from Chicago. This is my, like I said, my third one of these. Um, probably my 150th talk in the security space over the last couple three, four years of my life. Um, I help people figure stuff out. That's my entire mission in life. If I can help you today, I'll be doing my job. Check out my repo podcast, the security repo podcast. Uh we handle

everything you can think about in security from red teaming to blue teaming to people just getting started to 20-year veterans, Jason Hadex to Tonnie Jenka to, you know, people you never heard of who I met in my local community. And I thought they had a really cool story. Um, hit me up on Instagram or not Instagram, sorry, uh, LinkedIn or um, just email me. Blue Sky also works. I'm on the socials. Mo Mastadon, not X anymore for obvious reasons. Let's move on. Oh, I also work at GitG Guardian that will come up later, but it's not really to talk about. Um, if you didn't get a sticker earlier, by the way, with the Git Guardian thing, I do have more stickers

with that owl on it. Hit me up afterward. Happy to give you some. All right, so let's get back to why I think this is important. Uh, so last year, Cyber Arc came out this report, and I promise I do not work for Cyber Arc. I promise. I just like the research. Um, they said 93% of organizations had one or more identity related breaches in the past year. So what what does that mean identity related? This actually threw me for a loop and I had to go do some thinking and research and actually talk to some people I know over at Cyber. I won't name name drop, but they helped me figure it out. Like it's anytime someone

assumes the identity of someone else to do something. That's it. If you're assuming a human identity, that means you're taking over their account and you're acting on their behalf. Here's a fun one from back in May when I first first first uh was putting these slides together uh for a different version of this talk. This just happened to happen. So, a paid WordPress theme just let anybody reset passwords including on admin accounts, which means you could then act as the admin and do whatever you wanted on the account. So, that's that's a classic, you know, human takeover. Fishing's another one where we got your account and we got into your uh 360 um mailbox or whatever you call it.

um got your Gmail. We're acting as you. But again, 45 to1 in 2022 and 100 to1 right now we think estimate and this is much far more likely. I am assuming the identity of this non-human entity to do something. Well, this entity was supposed to be set up to go and pull images or go and you know check things into GitHub. Um, now I can use it to delete repos or clone those repos and send them anywhere I want or xfill data or do things like this. Just a couple examples that uh if you got the slides in the speaker notes, there's links to these actual articles. But we'll steal an API key and get in and do whatever we

want. As an attacker, I love this because I don't have to know anything about exploiting vulnerabilities. I don't have to know zero days. I barely have to be functionally literate to put an API key in the right place on an CLI call. I just do. We got to remember that we're not dealing with humans for the most part anymore when it comes to identity. So all the conversations we have about IM, PAM, pass keys, phto, all awesome stuff. I am for pass keys a zillion percent. I can convince someone to put their thumb on a screen and unlock a stupid long number that they'll never see that gets rotated on the regular behind the the scenes way more

often than I can convince someone to download authenticator. I personally don't like authenticator even though I know it's like mandatory I need to use it. It's just like man I got to use authentic god dang it pull out my phone. So when we say non-human, the fundamental problem with that is it's like saying there's only two things in the whole world, a potato and not a potato. It's not really that helpful. So there's humans and non-humans. What do we really mean by that? Well, [sighs] it could mean the floor. It could mean the Wi-Fi network. It could mean a car. It could mean a IoT device. It could mean a lot of things. I I work in the world of application

security. I just do. I'm an OASP fanboy. Uh I'll get to them in a second, but I really really really like the IETF's uh the Internet Engineering Task Force definition. I'll talk about Whimsy a little bit later uh just briefly. Not going to get into the depths of it, but they have a really succinct concept of workload. It is a running instance of software executing a per something for a purpose. That's it. Can run for seconds, run for years, part of a larger system normally, but it needs to communicate with those other parts of the system. OASP on the other hand came out with this definition back in January or December and said what we mean is part

of a larger application something that needs to be identified that's not a human. They go on to say well this is often associated with secrets. It needs to have an authentication mechanism to go from I can't do work to now I have the data and I can do the work. Makes sense. We got to authenticate to do stuff. And before I go any further, I just need to make a caveat. I've been talking about this stuff for so long and so much that the words token, credential, secret, API key, password, database connection URL all mean the exact same thing in my head. And I know they're semantic differences and I apologize upfront, but I'm going to say secret and

credential interchangeably for the rest of this. And I don't know I'm doing it. So what I mean by that is this. And yes, we can get to a world of PKI and shortlived JOTS and hopefully I'll get to that a little bit later uh and get away from this. But by and large, when I'm talking about secrets, I'm talking about that that problem of we hardcoded a thing, a string, and said, "Yep, that's how we're going to connect." The obvious implication is if anybody finds this code, then they can use that exact same string to do whatever the hell they want. This comes from uh about two months ago now when I asked chat GPD like give me

an example API call like that in a Python script and here's what it told me to do. Notice how it didn't say call environment variable. Notice how it didn't say call into the vault. No, it's like your access token here. Now I have been doing development. I'm I got a gray beard. I've been around for a while and know like okay that's silly but it's telling me okay generally this is how it's sculpted. Do most people know that? Do most people know that's this is a dumb idea? >> Not based on what I'm seeing. >> Yeah, not based on what I'm seeing either. Um, now I'm not against AI. I am totally love AI. I use chat GBT almost

daily um for various things, but I kind of use like I use Wikipedia for reference for noncritical stuff. Like sure, it got a little wrong, but that's cool. I was just playing around with an idea anyways, bouncing ideas off. But if I'm gonna put something in production, it better pass all my other tests and it better meet the standards that I'm going to put in production. And my worry with all of these assist bots, co-pilots, and whatnot are that we're not having that human conversation. But that's a whole other talk I give. And I'm going to get off that horse. We know that this problem of people hard- coding credentials is getting way worse because well we can just look in

public to see this which is a self-feeding system because guess where all of these co-pilots and whatnot are being trained on this. And on here my company uh puts out this report every year. This isn't a sales pitch. Please go download this report. You can do it over tour. You can I promise we are not going to ask for anything from you. Just we just want this information out there. It's a free PDF. Just go click the button. We don't ask for nothing. Um, again, do it through an honest window if you want. Um, so here's game time for a fabulous prize. We're going to play a Price is Right kind of game. How many

secrets do you think we found added to get and if you already know the do answer, uh, how many secrets do you think we found added to GitHub public just in the year 2024? From the beginning of the year 2024 to the end of the year 2024, how many secrets do you think we found in public? And I need hands otherwise this isn't going to work. And it's price straight style. >> 50 million. >> 50 million. 500,000 >> 500,000 >> 150 >> 100 million >> 1 million >> 1 million >> 60 million >> 60 million >> $1 >> $1 Bob [laughter] that >> 1 million >> 1 million four >> infinity plus more >> infinity plus Wow that'd be a cool

number um well the good news is it's not as high as some of you were guessing um but it is 23.77 million uh so who who who closest. You're gonna have to be honest with me because I don't remember. >> No, 50 is over. >> He said 1 million >> all the way in the back. I can't throw it that far. But you want a stuffed octopus. It's not stuffed. Crocheted octopus that's red team plus blue team put together materials. I crocheted on the plane. Come up later and we'll get it. I do that for that specific purpose of Wow, that's kind of a fun way to break terrible news cuz this is not good. And uh there's like 4.6% 6% of all

repos. So you can do this too. You can play this game too. You can just go to api github.com/events and look at the feed. It's public. It's in the name of the product. You can just read the feed. Go look at every commit. Scan it for a secret. Uh or anything that becomes public that was private. Scan it for a secret. 25% growth year-over-year. And we have changed methodologies, but even accounting for the old methodologies, it still grew 25%. Um, and the report goes into great detail of how we did the methodologies on it. The most horrifying part of this to me, oh, so also just to finish the thought, um, we do send an email immediately upon

seeing a secret to the committer. So, please sign your your commits with actual emails you check. Please, because there are good people in the world that are trying to say, "Hey, you might have done this by accident. Please don't do that." Uh, we're one of those people. The horrifying part to me was we do validation checks on all these secrets. That's not the horrifying part. Um if we can validate, we validate and say, "Hey, does this work or not?" It's not intrusive call into the system. Say, "Hey, does this work or not?" And if it does, we say, "Well, that's a valid secret." Um we went back to 2022 all the data we've had then from those

findings and said, "Okay, all the ones we found valid, let's take a subset." So we found 11,000. We just took a random 11,000 that were valid in 2022. retested them in January 2025 and 70% came back as still valid. Yeah. Which kind of makes the data from Verizon's DBIR make a little more sense. Um I don't know who has not read the VR DBR this year. You can be honest. It's free. It's an awesome report. It's written by humans for humans. It's the best like two-hour read you'll have this year. >> Press release. The press release's good, but there's jokes all throughout. All throughout. Uh my favorite one I think is on page 14 or 18. It's like and just

like in the land of the fay, names have meaning here. Um yeah. Uh it's footnote 13 is a call back to footnote 11 from the previous year. Yeah. Fun. Uh anyway, um I like I like talking about the fun parts because yeah, 22% of all initial um access vectors for breaches is credential abuse. People finding these keys and just getting in. Exploitation vulnerabilities is close second. Fishing's falling down. Yeah. Well, wait a minute. Fishing is how you get human access. This is definitely riding on the backs of web infrastructure. People are attacking the non-humans because there's just so many more of them and we've secured them so poorly and there's no MFA and there's over scoped and they live forever by

default. And we see the numbers for how fast rotation happens. Here's Verizon's independent thing. They say 94 is the number of average days after the breach is known. So we put out this other report. Again, Cyber AR don't work for them. Um but they keep popping up. Uh we did a report with them back in 2024 and we asked uh a thou I'll put that back up for a second if you want. Voice of practitioner we call it. Um we asked over a thousand uh IT professionals a bunch of questions and 75% said hey we got strong confidence in our secret manager capability and then we said how long does it take to remediate secret? And

they're like uh we think about 27 days. Nope. Nope. We're pretty sure that's not right. We're pretty sure that's not right. Um, yeah. And then same exact people said only 40% of developers reported follow security best practices. So what how I don't know this is survey data. You can trust it only so far. So what do we do? What do we do? That's the horrifying first half of the talk. Apologies for making people uncomfortable or scaring people. That's why I do it with a little bit of levity. What do we do? Well, I can't overstress this part enough. Be like this little bird. Breathe. Eat. Remember, you are human. You are a person first and foremost. If we lose

sight of the fact that all of security is about human beings, including you, including your health and mental health, we've lost the game. We We can fight zero days till we we're dead. We're never going to win security. All we can do is keep supporting each other. Bides is very important for that. Getting together and seeing each other face to face. You're no longer just a screen name here. You're no longer just an anonymous person out there fighting the good fight as well. We're here together. And that means something. God damn it. So you take care of you first. Put your oxygen mask on first. Breathe. Realize like look, we can do our best effort. We

can fight this fight together and we can make the world a better secure place so developers can go home to their kids and not have to get worry about this at 3 in the morning. That we can have jobs tomorrow because we did it right enough that the attackers got to us and said, "Wow, all the easy paths are hard. not here are here. All the easy paths are blocked. I'm gonna have to do some back flips to get in here. I can move somewhere else or breathe first. And then look to OASP. I'm OASP fanboy, so forgive me. Uh but they put out this back again December uh January this came out. The OASP non-human identity top 10

risk something. Um look it up. That's a lot of stuff and I'm not going to laundry list it to you. I have a talk tomorrow where we're gonna go through this a little more in depth about how to talk to developers about all this stuff. Um, but I think it basically falls into these three broad categories that we really have to get a handle on. One of them is really hard and it's going to be the challenge I going to challenge everyone to walk out of this room and think about how to go about the rest of your job and the rest of your career. The second one's pretty straightforward and that's the one I'm going to spend

the most time on because that one's the easiest one to talk about and well, I like talking about things that are easy. Um, the last one is only going to get more complex, but good news, there are tools on the way, and tools aren't the solution for everything, but tools can help. Tools are part of the solution. So, I say three pillars of NHI governance on this screen. I'll say something else later, but I firmly believe this is how all good programs work. I've always believed this and I always will believe this. It's a virtuous cycle where you raise awareness with the right people, make a plan, put processes in place to say, "This is how we're going to do

this." Then, and only then, go out and acquire the tools you need to get the job done. And once you have the tools, train the people on how to use those tools properly using the processes you set forth. And then refine the whole thing in a virtuous cycle, a feedback loop, if you will, a DevOps and agile loop to say, "This is how we're going to solve this." and keep refining and keep refining and keep refining. But if you don't start with raising awareness, getting people on the same page of what we need to get done ain't gonna get done. And that comes down to ownership. You ever want to scare an IT team walk

in and say, "Who owns Active Directory?" The answer should be somebody. The answer should be a very specific point person in the company. Who owns Pam? Who owns Octa? go to your HR teams like who owns onboarding and like what do you mean? Maybe they have an answer. Hopefully they have an answer. But if we go through this list, it's like all right devs introduce these NHIS a lot. They put the calls to the APIs. They have to authenticate to things. DevOps builds the infrastructure. That's all the pieces talking to each other. Do they own it? Well, they created it. Devs have a pretty high turnover rate, so you hope they're still around. DevOps hopefully hopefully operations does have

a plan for contingency on this stuff, right? Well, guess who goes to jail if you get a breach because of something they did. Not these guys. U maybe it's the exec team. And the exec team ultimately is responsible for everything in your company. Firmly believe that. It's their job, but their job's also to manage risk. And security in their opinion is just one more risk and a whole litany of sea of risk. Maybe it's your IM owner. Maybe you have this person. Maybe you're big enough to the group that studies executive pay. Uh I forget what this stands for, but INS um said from stage a couple years ago that it's not until companies hit about the five billion

revenue mark that they're big enough to justify having somebody that owns AM outright that reports to a sea level. So it be CISO or the CIO or the CTO or maybe CEO or maybe a board. But this person should exist. Somebody should be responsible to drive the conversation forward. So they don't maybe outright own everything. But unfortunately it means everybody owns it, which means nobody owns it right now. And this is the conversation that's hard. All right. How do we rally this? How do we get budget for this? How do we improve this across the team? because this is how they're getting in. We can spend all the money on all the EDX, EDR, all the endpoint solutions,

all the lock down of everything, all the technical solutions in the world, but if we're just throwing out the password for all of these NHIs we're creating at a rapid rate because the AI keeps telling us to do it, why why do we even bother? If I can log in, I don't need I don't care about your firewall. So, how do we have that conversation? drive it forward. Oh, I think it does boil down to having the conversation of like what even is ownership here. I like Ann Landers version of it. She stole it from somebody else, but that's where I read it first. So, I'll credit Ann Landers here. I won't read the whole list to

you, but open it, close it, turn it on, turn it off. What's your sunset policy on this API? How long does this secret live? Who wrote down those questions? Where is that policy? Where's the governance model around it? That's the challenge I want everybody to go out here thinking like, all right, technically we can do this, but who drives it? How do I have that conversation with the rest of my team? That's all I'm going to harp on today. Come back to my talk tomorrow. We talk way more in detail about how to have that conversation with developers and drive them. Let's talk about the easier one, the one with a very straightforward set of

technical solutions that I'll speed up now. How do we get dev ops and dev people to stop doing this? Because if you just send them a ticket, say, "All right, you leaked a secret, put it, rotate it." Guess what's going in the code? The exact same thing they just did because there's no other method better methodology. So, I'm going to talk short I'm going to talk long term and I'm going to talk short term. In the long term, we have solutions. We are going to move things to the world of identity uh federated identities and ephemeral secrets. And we're already doing it. We've been doing it for a decade. Google's been doing this for a

decade. It's called Spiffy. Secure production identity framework for everyone. They don't call Spiffy internally. Google has something else they call it internally. Uh but this K idea came out about seven, eight years ago from a meetup uh happened at Netflix. And Spire is the open source actual implementation you can go download right now. And if you're handling your own workloads right now and your own internal systems, this is what you're going to want to do. Way too much to spiffy to cover in this short time time, but I'm going to do resources. I'm going to give you the quick overview. We can cryptographically prove a bunch of stuff at the time a workload is created. We can do secure

boot. We can do trusted boot. We can know all the facts we need to know that this thing we spun up is the thing we spun up and it's provably true. If that's true, we can then inject with an API a credential that says you are you this is your identification and we can use that for authoriz uh for authentication throughout distributed systems. That's kind of it. If I go to a trust uh if I go to a gateway and say here's my credential, you can say yep that's your credential. I trust that certificate authority. Cool. Or say let me go double check that real quick. And now we let it in. And then we wor about authorization

as a separate mechanism because those are two separate things and I'm not going to get into authorization today. You can federate the certificate authorities. You can do really cool stuff with this, but it's the idea of namespacing and allow listing with PKI. There's a whole book about this. It's one of the best technical books I read in the last few years of my life. spiffy.io/book. It's free. It's 198 pages. If you're like, I ain't got time for a book. Sorry, that should have taken another slide out. Uh you're like, I ain't got time for a book. Well, go watch this talk from uh cloud native security con last year. Uh the story of crush. It's really really good and it

everything you need to know about this with some working and implementation details uh much deeper than I get into today. You're like well that's cool but that's cloud native. What about the rest of us? Well that's where the ITF comes in. Does anybody not know what the ITF is? Cuz I honestly didn't before a couple years ago. ITF, Internet Engineering Task Force takes care of things like, you know, TCP, IP, HTTP, HTML, like the actual standards body that says this is what this means. Well, they're working on something called whimsy, vertical identity in multi system environments, which is basically the ideas of spiffy applied globally at a better scale. We're in draft 4 right now and there's a real large

conversation going on in the email group and it's like sped up in the last few weeks uh as we march toward one of their big events. Uh you can go read the drafts. It's awesome. That's where this workload thing comes from and it's basically what I explained with Spiffy but applied to pretty much everything. There's going to be a whimsy namespace instead of a spiffy namespace but there conversations ongoing what that actually looks like and if you want to get involved in that now's the time. like, okay, well, how far off in the future is this stuff? This is like how we're going to do this in a few years. Great. Uh, well, we can do it right since May in

Kubernetes. Um, as of Kubernetes uh.33, this is how we can do image pools. Now, you can set up a service account token for credential providers that's shortlived automatically rotated tokens for service accounts. If the credential communicates an opt-in receiving service account, not read the whole thing. Uh, this is for image pools. So basically you say here's my token that says I am me. Cool. I'll swap that for a very short-lived thing to do the image pull. Everybody wins. This is already popping up. This is how we're going to do things in the future. So the idea of a longived credential that says I am allowed to do these things is going to be separated out from

here is a rotated short-lived thing that says you are you that's provable through a specific authority and that's how you're going to authenticate in. And then we're going to worry about authorization as a separate piece and that's what you're going to trade for once you're past the token uh once you're past a zone. I'm oversimplifying a few things here. Go read the standards. Go read the docs. That's how we're going to do that in the long term. And developers are just going to think about namespacing, certificate authorities. I promise you in the next three to four years, that's where we're going with it. But in the short term, how do we stop this? Well, there's this magic trick you can kind of

pull off if we think we have all these non-human identities, all these these things we need to account for and right now we need a way to identify them. We need to AM identity access management all of these things and in the meantime we have given them all a unique identifier in the form of a secret that exists just to do let it do the thing. What if we said these are equal? If we can just map out all of the secrets, then we have therefore mapped out all of our NHIS. Now, it's a little bit of kabuki theater. Is that exactly 100% true? No. Is it a practical approach to how do we get out of this hell in the short term?

Yes. Because I've seen a lot of people do this. The plan then becomes very simple with just these steps. Find all your secrets, properly store them, get better developer tooling, continually secret scan, and then automatically rotate all the secrets once they're properly stored. Starts with finding everything because that's the first rule of all threat models. If you don't know what it is, you can't protect it. And everybody's kept track of all these NHIS they've created and all the secrets. Right. Right. They they they definitely didn't like put a giant list out there on plain text. We would hope, right? No, of course not. But we do know where all of these secrets live because we keep

finding them in code and in Jira and config files and Slack and Confluence and secrets.ext and many, many, many, many, many other places in the world. And we know where those are because they're on our network. And hopefully we can scan our own networks, right? Well, that one I actually do hope I'm right on. We know where these things are. And there are a bunch of tools to do this. Now, I have a personal favorite of this list, but eventually you just want to be able to find all of the secrets. A lot of them match pre-existing patterns with prefixes. A lot of them don't, and you need contextual analysis to figure out how to do that. There's a lot of

ways to go about this. Again, I have a personal favorite on this list, but I'm not here to sell you anything specifically other than the idea of scan for secrets continually. So, okay, we found all of our secrets and we got this giant list of like here's our inventory of all the secrets where they're not supposed to be. What do we do next? Well, we put them where they're supposed to be. And here's a very highly accurate ar um art uh what do you call architecture diagram of how secret managers work. Basically, a secret manager can in store uh can store credentials secrets whatever even config at rest, encrypt it, and then deliver it over the wire when needed,

being pulled in just in time to be used. Thank you. And yeah, hopefully have some centralized reporting on that. Hopefully, it's easy enough for developers to use. Good news, if you're all in on one cloud provider, you already won the day. They already have this. This is built in. It's baked in. Is it free? I don't know. Maybe. hope should be isn't but it should be. Um AWS actually is trying to get out secrets everywhere so you can do like AWS secret manager for everything. It's still a work in progress. I've heard mixed results but still you can do this. If you're on multicloud the uh hybrid legacy well guess what they sell that it's called

[clears throat] a service that does that. Enterprise Secret Manager uh is generally the the class, but vault is the general term you hear, even though Hash Corpse actually is called vault. And they all work the general same way. You stuff the secret in there and you give it a path. And then don't worry about the rest of this. This is just an example to like prove that you pulled the secret out. But then the developer instead of hard coding the secret, instead of hard coding the secret, the developer says, "All right, here's the thing I am calling and here's the path inside of the thing I'm calling to give me back the secret." Now, there are a few ins and outs and

architectural trade-offs you're going to have to make when you do this. And one of the best talks I've ever seen about how to do this green uh blue green rotation of secrets using a secret manager happened on this stage last year. Um Kenton um brilliant talk. The link to the the talk is um in the show notes or in the speaker notes. Go look at it. But basically rotate as often as you can and do it in a way that doesn't break. He's doing this against satellites. So if they mess up there's no going back. So they have to very securely do this in a very very scalable way or a very robust way. So

then you just go on your list of like all right so we do this for new systems green field obviously then we do miss critical systems and then you find all these legacy secrets like what does this even go to? And a subset of that's going to be zombies. How many people think they know all the API endpoints that are still running across your organization? Never had a hand go up. Actually, one guy did. He's like, "Yeah, we have one API. It has two endpoints." Like, okay, okay, you you're going to you're going to pass. Uh, but everybody else got you got something running. Guess what? If I'm fuzzing, I don't care. I don't care

if it still works or not. I'm just going to fuzz until it does. All right. So, how do we get developers to use that stupid long string and then put things in there with a path? That's a hard question because you're trying to slow them down now and their brain anything security-wise you're asking them to do slows them down and guess what their boss is yelling them to go faster and they're saying we're going to replace you with AI if you can't produce fast enough again tomorrow I'm going to dig into that a lot more but in the short term we got to say hey how would you like to go a lot faster and we give you tools

that do that and that's where security engineers are the greatest heroes in the entire universe and this is another challenge if you are a person that has access to developers and you are a person that wants to actually help developers, go sit down and talk to them about their workflows and the thing is going to pop up in every conversation is Git. Guaranteed 97.8% of all developers on Earth use Git daily in their workflows. Why don't we meet them where they are? Because Git has this awesome ability to do scripting. It's called the hooks. everywhere in the life cycle when git does a thing is a chance to hook in a tool. So why not give them a tool locally that

says all right paste your hard-coded credential try and let's catch it and say all right you can't do that that exists out of the box right now a lot of people do that but then why don't you further the script and say well why don't we just go check and see if this already exists in the vault oh it does cool here's the path oh this doesn't exist in the vault that's stuff it in and make up a path for you that exists sort of out of the box that takes a little bit of scripting and a little bit of how does the path work but I've seen that script script in action and then you said a whatever

I don't know PowerShell tools um to actually swap out the line where they hardcoded the secret with the vault call again that's just pretty simple scripting and then once everything's committed if I commit and this on the other side if a commit contains a new call to the vault rotate that secret automatically I've seen the script I've seen the script work takes a little But it's possible. But dev's going to be devs. They're going to get around your tools. So why don't do this at the PR level? Why aren't we doing this at the PR level? This is possible now. The technology has caught up. Maybe you don't know it has, but it has. And I'm here to tell you

this. You want to see open source how we built this a year and a half ago. We called it brimstone. They called it Cyber called it something else, but it's a reference implementation. Would you run run this in production? Maybe. Your your risks are your risks. Um, a little bit brittle in my opinion, but we've worked on it a lot since then. And um, again, it's this jumping off point. All of this is just scripting. All of this is just how do you communicate to a vault? And guess what? All of the players are willing to talk to you right now and say, "This is how we want to do it." Thank you. So, find all secrets,

put them in there. Containably scan for secrets. People going You can inject secrets everywhere through the software development life cycle and people going to get around things constantly. So we got it constantly. So this rotation at scale though. This is actually pretty straightforward. Again, if you're already all in on one provider, these scripts exist. They wrote a lambda for you already on AWS for every conceivable thing they built ever. And if it doesn't exist, write them and they will write it for you because they want you to do this. And that all the script does is just make a new one, test, swap in the new one, test, clean up. That's all it that's all

these scripts do. There's tons of blogs. There's tons of resources on this. If your team doesn't already have a plan in place to make this happen, this should go way higher in your priority list because if I find a hard-coded secret and it expired, it's useless to me. Sure, I can help map your network and whatnot, but I don't really care about that. Doesn't let me immediately in. I'm going to move on to something else. If you're on one of those other systems, then the question is, can I make a call into that system to let me rotate a secret? The answer should be yes. It's 2025. The answer should be yes. Uh if the answer is no, start asking yourself

why you're using that service because it's 2025 and you should be able to make an API call to rotate a secret. And then all the other players like Cyber Arc Vault, Doppler, all those guys all have scripts to help you out with this stuff. They all do. If you can't find what you're looking for, call the rep. call whoever and say, "Look, this is what I need." Go to the communities pages. It's out there. People have been working on this. You're not alone. Just to reiterate, there's a lot of stuff on here. I'm not going to go through them all one by one. No time anymore. But it boils down to ownership. And that's the hardest piece. And that's

the conversation you're going to have to need to have. Long live secrets. Hopefully, I've spelled out that it's doable, straightforward, easy. No. Nothing's easy, but there are straightforward paths here for technical complexity. I'm going to point it at CSPMs. I'm just going to cheap out and say, look, there are tools that can help you do this and training and awareness around all of these things. Like, but we're only making our it harder and more difficult on ourselves. Just go pick a tool, go talk to them how to do it. And there is a whole another class of things around AM that stretch beyond humans. I was at Identiverse earlier this year and this is like a happening

conversation and there's a bunch of players that say how do we stretch our IM platforms not just to handle humans but for non-humans and then these guys popped up the non-human Identity Management Group I'm affiliated with them um full disclosure but their entire mission is like how do we tool for this how do we deal with non-human identity at scale in a governance way in a security way and they put out lists and a bunch of reviews of all of these players There's a lot and this is the fastest growing segment of security I've seen in the last couple years of my life. It's just kind of amazing how fast this is exploding. We're in there, too.

Just full disclosure. But that's where I'm going to leave you. Go look at what's out there and what they can provide for non-human identity governance. But I ain't worried so much about the governance as much as I am worried about we keep leaking secrets. I am worried that NHIS are outpacing humans by so much. But the fact that we can abuse their access so easily because we keep getting secrets wrong terrifies me when I think about this is happening right now. I don't have no idea how many robots are on that screen. I've never counted. I just know it's a lot. And I know the Gen AI is pushing this forward really hard. Raise that awareness. Get the right

people having the right conversation. Get that conversation of ownership going. And then you can start building the processes. Then you can pick the tools. Then you can train the people. And then the visual a virtual cycle can complete. I'm out of time, but I'm Dwayne. I came from Chicago. Help people figure stuff out. Hit me up. I am happy to give you anything you need slidewise or whatnot. That just goes to our blog. And thanks very much. Slides are again at that tiny URL. Thanks very much everybody.