📘Cisco DevNet Associate (200-901 DEVASC)
1. Secret Protection
Secrets are sensitive pieces of information that applications use to function. Examples include:
- Passwords
- API keys
- Tokens (like OAuth tokens)
- Certificates
Common Issues:
- Hardcoding secrets in code
- Storing secrets directly in source code is risky because anyone with access to the code (e.g., GitHub repo) can see them.
- Example:
api_key = "12345secret"in Python code.
- Insecure storage
- Storing secrets in plain text files or logs.
- Example: Writing a password into a log file without encryption.
- Improper access control
- Secrets are accessible to too many users or services, increasing the risk of leakage.
Best Practices:
- Use environment variables to store secrets during runtime instead of hardcoding.
- Use secret management tools like:
- HashiCorp Vault
- AWS Secrets Manager
- Kubernetes Secrets
- Rotate secrets regularly to reduce risk if compromised.
- Limit access only to services or users that need it (principle of least privilege).
2. Encryption
Encryption protects data so that even if it’s stolen, it cannot be read without the proper key. There are two main types:
a) Encryption at Rest (Storage)
- Protects data stored on disk, databases, or files.
- Example: Encrypting a database containing user information using AES-256.
- Common issues:
- Storing data without encryption.
- Using weak encryption algorithms (like MD5 or SHA1 for passwords).
- Best practices:
- Always encrypt sensitive data before saving.
- Use strong, modern encryption algorithms (AES, RSA, or ECC).
- Use secure key management to protect encryption keys.
b) Encryption in Transit (Transport)
- Protects data while moving between systems (e.g., client ↔ server).
- Example: Using HTTPS to protect API requests containing passwords or tokens.
- Common issues:
- Using HTTP instead of HTTPS.
- Using outdated TLS versions (like TLS 1.0 or 1.1).
- Not validating certificates properly.
- Best practices:
- Always use HTTPS/TLS for data transport.
- Use modern TLS versions (TLS 1.2 or 1.3).
- Verify certificates to avoid Man-in-the-Middle (MITM) attacks.
3. Data Handling
Proper data handling ensures that sensitive data is protected throughout its lifecycle: creation, storage, processing, sharing, and deletion.
Common Issues:
- Logging sensitive data
- Logging passwords, tokens, or credit card numbers can leak secrets if logs are exposed.
- Uncontrolled data sharing
- Sending sensitive data to services that don’t need it or storing in third-party systems without encryption.
- Insecure data deletion
- Deleting files without properly overwriting them can allow recovery of sensitive data.
Best Practices:
- Mask or redact sensitive data in logs.
- Encrypt sensitive data when sharing or storing externally.
- Implement secure deletion (like overwriting files) for sensitive data.
- Follow privacy principles: only collect what is needed and limit access.
4. Summary Table for Exam
| Topic | Common Issues | Best Practices |
|---|---|---|
| Secrets | Hardcoded keys, plain text storage, too much access | Environment variables, secret managers, access control, rotate secrets |
| Encryption (At Rest) | Plain text storage, weak algorithms | Use AES/RSA/ECC, secure key management |
| Encryption (In Transit) | HTTP, old TLS, invalid certs | Use HTTPS/TLS 1.2+, validate certificates |
| Data Handling | Logging secrets, over-sharing, insecure deletion | Mask logs, encrypt, limit access, secure deletion |
5. Exam Tips
- Be able to identify bad practices like hardcoding secrets or logging passwords.
- Understand differences between encryption at rest vs in transit.
- Remember: “Protect secrets, encrypt data, handle responsibly.” This is a simple mantra to remember for the exam.
- Know examples of tools for secret management and encryption.
This covers everything you need to pass the exam on this topic. It’s simple, uses IT-focused examples, and focuses on practical security practices.
