Sveriges mest populära poddar
DevSec Station
Teknologi

Secrets Management: Stop Playing Whack-a-Mole

7 min18 juni 2026

If you've ever committed an API key, password, token, certificate, or other secret to a repository, you're not alone. Most secret leaks don't happen because developers don't care about security. They happen because the easiest place to put a secret is inside the code that uses it.

This episode is sponsored by Maze.

In this episode of DevSec Station, Tanya Janca explains why secrets leak, why "just be careful" isn't an effective security strategy, and how developers can stop playing whack-a-mole with exposed credentials. You'll learn why secrets belong outside of source control, how secret scanning can help you find problems before attackers do, and what practical steps you can take to improve your workflow today.

You'll learn:
• why repositories are terrible places to store secrets
• how leaked secrets are discovered and exploited
• why secret leaks are a workflow problem, not a developer problem
• the difference between reacting to leaks and preventing them
• how secrets management tools reduce risk and operational headaches

Tanya walks through a realistic example of how a secret accidentally makes its way into source control, what happens next, and how teams end up trapped in a cycle of rotating credentials and cleaning up incidents. She also shares a practical, developer-friendly process for finding and fixing exposed secrets before they become bigger problems.

One practical action from this episode:

Run a secrets scanner against every repository you actively work on. If you find a real secret:
• rotate it immediately
• move it into a secrets management solution
• update the code so the secret is retrieved securely at runtime

And if your team doesn't have a secrets management tool yet, make the business case for one.

DevSec Station is a podcast by Tanya Janca (SheHacksPurple), focused on short, practical lessons that help software developers build more secure software.

Follow Tanya:
https://shehackspurple.ca
https://youtube.com/@shehackspurple
https://linkedin.com/in/tanya-janca
https://tanyajanca.com

This episode is sponsored by Maze.
One of the biggest problems in security right now is that every vulnerability scanner says everything is critical, and honestly, no one has time for that.

Maze uses AI agents to investigate vulnerabilities in context, so you can focus on the issues that are actually exploitable in your environment, not just theoretically scary.

Their AI agents also generate and prioritize fixes that knock out multiple vulnerabilities at once, which is honestly the kind of scaling that security teams need right now.

Learn more about Maze https://mazehq.com/devsec

Fler avsnitt av DevSec Station

Visa alla avsnitt av DevSec Station
Supply Chain Is More Than Just Dependencies
7 min
Malicious Dependencies Aren’t an Accident
8 min
NPM Supply Chain Attack: Active Worm Stealing Tokens, SSH Keys, and Credentials
2 min
How Modern Supply Chain Attacks Really Happen (Step-by-Step Breakdown for Developers)
10 min
Developers Are Now Targets: How Supply Chain Attacks Actually Reach You
6 min

DevSec Station med Tanya Janca | SheHacksPurple finns tillgänglig på flera plattformar. Informationen på denna sida kommer från offentliga podd-flöden.