Hook
Every secret leaks eventually.
Problem
Long-lived secrets accumulate risk. When they leak, they often go undetected and remain valid for far too long.
Why it matters
Frequent rotation limits exposure and reduces the impact of leaks. Automated rotation also removes error-prone manual steps.
Signals you are here
- Static credentials that never rotate
- Secrets stored in config files or code
- Manual rotation that requires outages
- Unknown owners for critical secrets
Anti-patterns
- Hardcoding secrets
- Sharing secrets across services
- No inventory of secrets
- Rotations done only after incidents
Try this
- Use a centralized secrets manager
- Automate rotation with short TTLs
- Prefer role-based access and short-lived tokens over long-lived credentials
- Use workload identity (OIDC) where possible to eliminate static secrets
- Audit access to secrets regularly
- Remove unused secrets quickly
- Test rotation in non-prod environments
Example
A team moved database credentials to a secrets manager with daily rotation. A leaked key became harmless within hours.
Reflection prompt
Which secret in your system has the longest lifetime? Reduce it.
More like this
Heuristic
Know What You Have
Inventory before security.
SecuritySecurity
Heuristic
Fail Closed, Log Everything, Recover Gracefully
Safe failure beats quiet failure.
ReliabilitySecuritySecurity
Heuristic
Shift Security Left
Secure by default, not by exception.
SecurityReliabilitySecurity
Heuristic
Trust Is Earned, Not Assumed
Trust must be proven.
SecuritySecurity
Heuristic
Work in Small Batches
Small batches make failure cheap and learning fast.
FlowAutomationDelivery