SaaS vendor credentials should not be visible

With the growing need and the advance of cloud providers, a given system can have a number of external vendors, SaaS services, that unlock development velocity and offer value quickly. These can range from hosted databases, monitoring solutions, analytics solutions and more.

When integrating with each of these SaaS providers, we typically handle sensitive access detail and need to perform a secure, authorized communication to access these services. The best practices are often documented and required by the relevant SaaS provider.

It is your best interest to keep these access details confidential and secure, especially if you're dealing with SaaS data store providers or providers that deal with your sensitive data.

More over, hackers are looking not only for your data, but also for easy supply chain attacks in this sense.

Problem

Cloud SaaS access details and services are hardcoded or exposed in configuration files, infrastructure code, or business services.

Fix

Infrastructure

  1. Use a cloud-native secret store, such as AWS Secrets Manager
  2. Use a dedicated vault product, such as:
    1. CyberArk Vault
    2. Hashicorp Vault

Architecture

  1. Prefer a 12-factor architecture
  2. Use secret-loading libraries like .env for your specific tech stack

See