
SE Radio 722: Dwayne McDaniel on the Engineering Challenges of Secrets Management
From Software Engineering Radio - The Podcast for Professional Software Developers by SE-Radio Team
May 27, 2026 · 52 min · Episode 722
About this episode
Dwayne McDaniel discusses the engineering challenges of secrets management, including the risks of secret sprawl and credential abuse.
Dwayne McDaniel, developer advocate at GitGuardian.com, joins host Priyanka Raghavan to talk about the engineering challenges of secrets management. They explore what "secrets" really are in modern systems—far beyond passwords—including API keys, tokens, certificates, and machine identities, and how "secret sprawl" emerges across the SDLC. Drawing on reports from GitGuardian and Verizon, they discuss the growing scale of secret leaks and why credential abuse and phishing remain dominant attack vectors. They examine common leak points—from code repos and logs to CI/CD pipelines, containers, and SaaS integrations—and how cloud, DevOps, and AI tooling are amplifying risks. Priyanka quizzes Dwayne about recent supply chain attacks from pyPi and trivy ecosystems, highlighting recurring root causes like poor access control, long-lived credentials, and weak security hygiene. Finally, they consider detection, response, and modern solutions—short-lived credentials, secret scanning, and identity-based approaches like OWASP NHIR and SPIFFE/SPIRE—ending with practical advice for engineers to reduce blast radius and design for secure secret lifecycle management.
People in this episode
Host: Priyanka Raghavan
Guest: Dwayne McDaniel
Topics covered
- secrets management
- credential abuse
- security hygiene
- supply chain attacks
- DevOps
- cloud security
- identity-based approaches
Keywords
- secrets
- API keys
- tokens
- secret sprawl
- credential leaks
- CI/CD pipelines
- cloud security
- DevOps
- identity management
- supply chain attacks
Mentioned in this episode
Organizations: GitGuardian.com, GitGuardian, Verizon, OWASP
Products: NHIR, SPIFFE, SPIRE, pyPi, trivy
More episodes of Software Engineering Radio - The Podcast for Professional Software Developers
- SE Radio 723: Dave Airlie on Linux Kernel Maintenance · June 3, 2026 · 1h 9m
- SE Radio 721: Rob Moffat on Risk-First Software Development · May 20, 2026 · 53 min
- SE Radio 720: Martin Dilger on Understanding Eventsourcing · May 13, 2026 · 56 min
- SE Radio 719: Birol Yildiz on Building an Agentic AI SRE · May 6, 2026 · 54 min
- SE Radio 718: Will Sentance on JS Modernization · April 29, 2026 · 59 min
- SE Radio 717: Eric Tschetter on Decoupling Observability · April 23, 2026 · 1h 0m
Explore listener stats, chart rankings, contacts and more on the Software Engineering Radio - The Podcast for Professional Software Developers podcast page.