< ciso
brief />
Tag Banner

All news with #secrets management tag

50 articles · page 2 of 3

Governance Gaps as AI Agents Drive 76% NHI Increase

⚠ The SANS Institute warns that rapid adoption of agentic AI is outpacing security controls, driving a 76% rise in non-human identities (NHIs) such as service accounts, API keys and automation bots. Based on interviews with more than 500 security professionals for the 2026 State of Identity Threats & Defenses Survey, SANS identified widespread credential hygiene failings and a surge in agent-linked NHIs that can double or triple in number. The report highlights that many organizations do not rotate machine credentials on a 90-day cycle and lack coordinated AI governance, and recommends secrets vaults, automated rotation and scoped least-privilege access to mitigate risk.
read more →

Managing digital assets after death: risks and guidance

🔒 Digital assets left after death — from emails and social media to passwords and crypto wallets — can complicate an already traumatic time for families and create new fraud opportunities. The legal landscape is fragmented: RUFADAA in the US, a proposed UK bill and ELI efforts in Europe offer partial solutions, but platform policies remain inconsistent. Practical steps include creating a digital inventory, appointing legacy contacts (e.g., Facebook/Instagram Legacy Contact, Google Inactive Account Manager, Apple Digital Legacy) and using emergency access features in password managers. Also file tax returns, place deceased alerts on credit reports, cancel subscriptions, and be wary of scams targeting grieving relatives.
read more →

State of Secrets Sprawl 2026: AI-Driven Credential Risk

🔒 GitGuardian's State of Secrets Sprawl 2026 shows leaks accelerated in 2025, uncovering 29 million new hardcoded secrets — a 34% year-over-year increase and the largest single-year jump recorded. The report highlights three core trends: AI-driven credential exposures, unexpectedly widespread internal-repo and collaboration-tool leaks, and persistent remediation failures. It urges a shift from detection to continuous non-human identity governance, secrets vaulting, and automated rotation to reduce attacker access.
read more →

Betterleaks: Advanced Open-Source Successor to Gitleaks

🔐Betterleaks is a new open-source secrets scanner developed by Zach Rice and supported by Aikido Security as the successor to Gitleaks. It inspects directories, files, and Git repositories using rule-defined validation with CEL and a token-efficiency approach based on BPE tokenization. Implemented in pure Go to avoid CGO/Hyperscan dependencies, Betterleaks adds automatic decoding of doubly/triply encoded secrets, expanded provider rules, and parallelized Git scanning for faster analysis. The project is MIT-licensed and maintained by a small, cross-industry team.
read more →

Infostealer Targets OpenClaw, Exfiltrating AI Agent Data

🔐 Security researchers have documented an infostealer attack that exposed sensitive files from local AI assistants, specifically OpenClaw. Hudson Rock reported the malware harvested configuration and key material—including openclaw.json, device.json, and agent memory files—allowing token theft, private key access, and capture of users' operational context. The incident underscores risks from plaintext secrets and permissive defaults in agentic tools.
read more →

Study Finds Multiple Cloud Password Managers Vulnerable

🔒 A new study from ETH Zurich and Università della Svizzera italiana shows that cloud-based password managers, including Bitwarden, Dashlane, and LastPass, can be vulnerable to password recovery and integrity attacks under a malicious-server model. Researchers identified 25 distinct attack variants ranging from metadata leakage and item swapping to full organizational vault compromise. Vendors have issued patches or mitigation roadmaps and say there is no evidence of in-the-wild exploitation.
read more →

Researchers Find Multiple Flaws in Cloud Password Managers

🔐 A team of researchers from ETH Zurich and USI disclosed 27 successful attack scenarios against cloud-based password managers from Bitwarden, LastPass, Dashlane and 1Password, challenging vendors' zero-knowledge claims. The attacks exploit design and cryptographic flaws — including unauthenticated public keys, missing ciphertext integrity and KDF downgrades — enabling vault compromise, password recovery and mass takeover. Vendors report remediation is underway; users should verify fixes and follow advisories.
read more →

npm's Token Overhaul Reduces but Doesn't Eliminate Risk

🔒 In December 2025 npm completed a major credential overhaul, revoking long‑lived classic tokens and moving to short‑lived session tokens and OIDC Trusted Publishing to reduce supply‑chain risk. While MFA by default and ephemeral per‑run CI credentials limit exposure, optional 90‑day tokens that bypass MFA and successful MFA phishing still permit rapid malicious publishes. Developers should favor OIDC, avoid long‑lived bypassable tokens, and enforce MFA-on-publish where possible to further harden the ecosystem.
read more →

Bitwarden launches Cupid Vault for secure account sharing

🔐 Bitwarden has introduced Cupid Vault, a free feature that lets users create a two-person shared Organization to securely share login credentials with a trusted email address. Owners assign credentials to the second member, can verify enrollments using a fingerprint phrase to prevent man‑in‑the‑middle attacks, and can revoke access at any time; the Organization vault is isolated from personal vaults. Cupid Vault is limited to two users and two collections and is distinct from Bitwarden's paid Family, Teams, and Enterprise plans that provide broader sharing and role-based controls.
read more →

Ephemeral Infrastructure Paradox: Strengthen Identity

🔒 Modern cloud environments create vast numbers of short-lived machine identities that outnumber humans and often remain unmanaged. The author argues that traditional, ticket-driven identity governance is inadequate for ephemeral workloads and supply-chain tooling, exposing organizations to “zombie” service accounts and credential theft. The recommended response is a shift to cryptographic workload identity (e.g., SPIFFE and workload attestation), elimination of long-lived static credentials via short-lived tokens and OIDC Federation, and automated entitlement pruning using CIEM to restore least-privilege without slowing engineering velocity.
read more →

Leaked Non-Human Identities: A DevOps Risk Report Overview

🔐 In late 2025, Flare researchers discovered over 10,000 Docker Hub images containing exposed production secrets — from API keys and cloud tokens to CI/CD credentials and AI model access tokens. The report frames non-human identities — tokens, service accounts and workload identities — as persistent, highly privileged artifacts that often outlive their creators and bypass traditional controls. It highlights incidents including the Snowflake breach, a long-lived Home Depot GitHub token exposure, and a Red Hat GitLab compromise, and urges teams to adopt automated secret scanning, short-lived credentials, and continuous monitoring of public registries.
read more →

Centralized vs Decentralized Secrets Management on AWS

🔐 This post compares centralized and decentralized approaches to secrets management across four lifecycle domains: creation, storage, rotation, and monitoring. It explains how platform engineering and golden paths can centralize creation to enforce naming, tagging, and least-privilege checks while acknowledging the resource cost and maintenance burden. The article contrasts centralized storage (simplified monitoring but higher cross-account complexity and KMS costs) with storing secrets in workload accounts (better isolation, delegated ownership). Finally, it recommends centralizing auditing and observability while allowing hybrid architectures that balance control, speed, and operational scale.
read more →

Enterprises Struggle with IAM, Privilege and AI Access

🔐 New research from CyberArk finds enterprise users routinely bypass IAM controls to work faster, with 63% of security leaders reporting this behavior. Only 1% of organizations have fully implemented a modern just‑in‑time privileged access model, while 91% say at least half of privileged access remains always‑on. Shadow accounts and unmanaged secrets surface weekly in 54% of firms, and many lack clear AI access policies.
read more →

Securing RPA: Integrating Non‑Human Identities into IAM

🤖 Robotic Process Automation (RPA) bots are rapidly becoming first‑class Non‑Human Identities (NHIs) that streamline provisioning, deprovisioning and credential handling while reducing human error. Left unmanaged, bot identities and embedded secrets expand the attack surface and enable privilege misuse or lateral movement. Organizations should treat bots like human users — using secrets managers, PAM, JIT access and unified IAM with Zero Trust controls to preserve least‑privilege and maintain auditability.
read more →

Passwork 7: Self-hosted Password and Secrets Manager

🔐 Passwork 7 is a self-hosted password and secrets manager designed for enterprise teams, combining a user-facing password vault with a programmatic secrets management system. It introduces a flexible vault architecture (user, company, and custom vault types), granular RBAC, secure internal and external sharing, and comprehensive audit trails. The platform supports SSO/LDAP, an API-first model with a Python connector, CLI and Docker deployment, and a zero-knowledge encryption mode to keep data encrypted client-side. Passwork 7 targets organizations seeking unified human and machine credential governance with self-hosting and compliance controls.
read more →

AWS Secrets Manager Introduces Managed External Secrets

🔐 AWS Secrets Manager now supports managed external secrets, a new secret type that standardizes storage and enables automated rotation for third-party application credentials such as Salesforce, Snowflake, and BigID. The feature separates rotation metadata from secret values and integrates directly with providers to remove the need for custom rotation functions. It leverages existing IAM, CloudWatch, CloudTrail, GuardDuty, and KMS controls and follows standard Secrets Manager pricing with no additional charge.
read more →

Enterprise Password and Secrets Management — Passwork 7

🔐 Passwork 7 consolidates enterprise password and secrets management into a single, self-hosted platform supporting both human and machine credentials. The release improves credential organization with new vault types, expands RBAC and group-based permissions, and enhances audit trails and notifications. It also provides a REST API, Python connector, CLI, and Docker image for automation, plus zero-knowledge encryption and SSO/LDAP integration to help meet compliance needs.
read more →

Practical Steps to Minimize Key Exposure in AWS Environments

🔐 This AWS Security blog by Jennifer Paz outlines a layered, practical approach to reduce exposure from long‑term AWS credentials. It recommends discovery and risk assessment with CodeGuru Security, IAM Access Analyzer, credential reports, and Trusted Advisor, followed by enforcement using SCPs and RCPs to create a network data perimeter. The post also covers runtime protections (security groups, NACLs, Network Firewall, AWS WAF), automated rotation using Secrets Manager or rotation patterns, and threat detection via GuardDuty, all intended to bridge the gap until migration to temporary credentials is feasible.
read more →

Amazon EKS add-on: AWS Secrets Store CSI Driver Provider

🔐 AWS has announced general availability of the Amazon EKS add-on for the AWS Secrets Store CSI Driver provider, enabling clusters to mount secrets from AWS Secrets Manager and parameters from AWS Systems Manager Parameter Store as files on Kubernetes workloads. The add-on installs and manages the AWS provider component and supports automated setup and lifecycle management for new and existing Amazon EKS clusters. It is available in all AWS commercial and AWS GovCloud (US) Regions.
read more →

Addressing Password Management Challenges to Protect Data

🔒 Enterprises and SMBs have invested heavily in authentication and IAM, but those controls are only as strong as password management. Compromised credentials remain a leading cause of breaches while the average employee manages over 100 accounts, creating operational and compliance burdens. Dedicated password managers can cut support costs by up to 80% and lower incident rates, but success requires strong user adoption and integration with SSO, MFA, LDAP/AD and privileged access systems.
read more →