Beyond the .env: Embracing Ephemeral Credentials for Enhanced Security

Transcript

1. © Okta and/or its affiliates. All rights reserved. © Okta

   and/or its affiliates. All rights reserved. Beyond the .env: Embracing Ephemeral Credentials for Enhanced Security Bsides Barcelona 2025 (he/him) José Carlos Chávez Security Software Engineer

2. © Okta and/or its affiliates. All rights reserved. José Carlos

   Chávez Security Software Engineer - Okta • Peruvian • Open Source contributor and maintainer for 12+ years • OWASP Coraza WAF co-leader • Loving father of 2 • Mathematician in quarantine

3. © Okta and/or its affiliates. All rights reserved. What happens

   if you drink milk?

4. © Okta and/or its affiliates. All rights reserved. What happens

   if you drink milk?

5. © Okta and/or its affiliates. All rights reserved. In the

   context of application development, a secret is a piece of data used as a credential. • API keys, tokens, SSH keys, passwords, etc. • Long vs Short lived secrets • Variables vs Secrets • Production vs Local What are secrets?

6. © Okta and/or its affiliates. All rights reserved. What is

   .env and why it is so popular? • Developer convenience. • Centralizes secrets and values. • You can have one .env per environment. • Widely supported among tooling and languages. • Embraced by 12-factor app

7. © Okta and/or its affiliates. All rights reserved.

8. © Okta and/or its affiliates. All rights reserved.

9. © Okta and/or its affiliates. All rights reserved. Threat Landscape

   for local credentials • Accidental exposure in source code and version control. • Endpoint compromise. • Insecure sharing. • Lack of visibility and auditability. • Low actionability. • Shadow credentials and sprawl.

10. © Okta and/or its affiliates. All rights reserved. Shifting the

    Model: Ephemeral and Controlled Access • Secure vaults for long lived secrets. • Session-based ephemeral credentials & dynamic secrets. • Hardware-backed storage: TPM-backed keychains, or YubiKey-protected credentials. • Multi Factor authentication policies.

11. © Okta and/or its affiliates. All rights reserved. Right credentials,

    at the right time, with the right scope. You all have the right to…

12. © Okta and/or its affiliates. All rights reserved. Chasky -

    github.com/jcchavezs/chasky • Open source • Secrets dealer • Supports multiples sources: vaults, cli tools, etc. • Supports multiple outputs: env vars, .netrc files, config files, etc.

13. © Okta and/or its affiliates. All rights reserved. Demo time

    What could go wrong?

14. © Okta and/or its affiliates. All rights reserved. 1. Avoid

    storing long lived secrets in plain text, use secure vaults instead. 2. Also rotate them on regular basis and preferably with an automated process. 3. Prefer issuing secrets and credentials on demand, with fine grained scopes and for a short periods of time (according to the task). 4. Keep track of your secrets and audit them regularly. Conclusions

15. © Okta and/or its affiliates. All rights reserved. Questions? ©

    Okta and/or its affiliates. All rights reserved. You can also reach me at • josecarlos.chavez@{okta.com|owasp.org} • https://www.linkedin.com/in/jcchavezs/ • jcchavezs.bsky.social

16. © Okta and/or its affiliates. All rights reserved. Recomended readings

    1. https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/ 2. https://www.wiz.io/blog/forbes-ai-50-leaking-secrets 3. https://github.com/anthropics/claude-code/issues/7921 4. https://checkmarx.com/learn/secrets-detection/the-cost-of-an-exposed-s ecret-real-lessons-from-real-breaches/

17. © Okta and/or its affiliates. All rights reserved. Thank you!

    © Okta and/or its affiliates. All rights reserved.