HashiCorp Acquires BluBracket to Boost ‘Lifecycle’ Secrets Management
Seeking to enhance its supply chain security capabilities, HashiCorp has acquired the startup BluBracket. BluBracket specializes in repository and source library security for remote access, which would complement HashiCorp’s own Vault-based security capabilities.
By integrating BluBracket’s capabilities into its existing security products, such as Vault for secrets management and Boundary for identity management, HashiCorp also aims to improve the overall experience for developers and operations teams working with Terraform Infrastructure as Code.
In the short term, HashiCorp’s primary focus lies on managing Vault’s secrets more effectively with BluBracket for the management of secrets throughout their entire lifecycle. This helps to prevent accidental leaks and fight secret sprawl, HashiCorp says.
“What sets BluBracket apart is its ability to discover unmanaged secrets. This capability allows us to not only locate and secure those secrets but also provide a reliable platform for their lifecycle management,” James Bayer, HashiCorp’s senior vice president of R&D for the Secure product line, told The New Stack. “While many solutions focus solely on storing secrets, we differentiate ourselves by offering comprehensive management throughout the entire lifecycle. This is where our primary investment lies.”
The Short Term
In the short term, BluBracket focuses on identifying and securing secrets, while Vault excels at storing and managing their lifecycle, HashiCorp is “looking ahead, as our vision extends beyond secrets management,” Bayer said. “We see a similar pattern across the HashiCorp portfolio, where tools like Terraform excel at managing specific cloud resources such as S3 buckets, load balancer and compute instances. Yet, there are cases where resources are provisioned through alternative methods like consoles or native CLIs,” Bayer said.
“In this regard, we consider BluBracket’s foundational capabilities of discovering and managing resources as part of the longer-term horizon and these resources could include infrastructure that should ideally be managed using Terraform. By expanding our reach to encompass the broader scope of resource management, we aim to provide a unified and comprehensive solution.”
In this way, HashiCorp is looking to address any unmanaged elements that require proper management and adherence to policies, Bayer said. “This broader perspective allows us to identify areas that need attention and ensure comprehensive security measures are in place,” he said.
BluBracket helps to address the specific challenge associated with the proliferation of various systems and platforms for storing secrets, including GitHub, native solutions from cloud service providers and other platforms, Bayer said. “Encrypting and storing secrets in a secure manner is not the most difficult part,” Bayer said. “The real challenge lies in understanding and managing the entire lifecycle of secrets.”
This is where BluBracket’s integration with Vault becomes “invaluable,” Bayer said. “BluBracket addresses the front end of the secret lifecycle by identifying unmanaged secrets. In the past, you had to explicitly inform Vault about your secrets, or else they would remain unknown,” Bayer said. “BluBracket’s functionality allows us to discover and manage unmanaged secrets effectively. With BluBracket and Vault, we can provide a secure and reliable solution for finding, storing and managing secrets throughout their lifecycle.”
In the immediate term, BluBracket’s automated capabilities will work in the background in such a way that developers may not immediately notice during their day-to-day. But it will likely provide immediate benefits for security teams managing secrets while helping to improve developers’ peace of mind that their code and code sources from libraries are more secure.
Pandora’s Box
“Modern source code is a pandora’s box, often with many little surprises inside, placed by development teams under pressure to get the job done and done quickly. In today’s world of distributed microservices apps based on containers and a multitude of open source libraries, the resulting security issues can rapidly spread across apps, teams and even enterprises,” Torsten Volk, an analyst at Enterprise Management Associates (EMA), said. “Part of the issue is the added hoops developers have to jump through to do things right. This is where a proactive approach toward security needs to come in to provide developer guardrails that make it straightforward to create secure code throughout the software development lifecycle.”
According to BluBracket’s documentation, its security suite is designed to identify, prevent, and remove risks in code, providing monitoring and tracking of code distribution beyond Git repositories. While BluBracket offers a free version for personal use and teams with fewer than 50 developers, they also provide tiered options for larger teams and offer the full-featured BluBracket Enterprise Edition. The suite can be accessed as a SaaS solution or as a local code security tool.
The use cases for BluBracket that the company lists for identifying, preventing and removing risks in code include, in addition to secrets:
- Personally identifiable information (PII).
- Non-inclusive language (NIL).
- Code analysis (SAST).
- Infrastructure-as-code (IAC) risks.
- Dependency vulnerabilities.
- Monitoring who and what has access to your code.
- Monitoring where your code goes.
