Security

Is there an updated best practice guide for storing encrypted credentials when developing an app?

cschmidt_hurric
Path Finder

In an effort to meet the requirements needed for Splunk Cloud app vetting, I have been migrating my apps over to storing their credentials using Splunk's password storage endpoint. When looking at Splunk-developed apps that use encrypted credentials, I can't help but notice many if not all of them don't use a simple setup.xml page and instead have something on top doing intermediary work (usually Javascript or a custom endpoint). I know the guide I followed is fairly dated (close to 6 years old now!), so my question is: is there a more modern best practice for storing credentials?

1 Solution

Simon
Contributor

From my point of view, the "Storage Passwords" endpoint and passwords.conf is still the state of the art to store credentials encrypted. Even the JS stack has been updated to provide APIs to work with. Even if it's quite old, it works quite well. By the way, there is no requirement to use setup.xml to manage the credentials as the API provides enough tools to manipulate the entries. Also, I think setup.xml isn't allowed anymore to get certified. A good resource to build custom setup pages is the Addon Builder app (https://splunkbase.splunk.com/app/2962/). Overall, the Dev Page has a lot information too regarding credential management: http://dev.splunk.com/view/javascript-sdk/SP-CAAAEJ8 (Section "Storage passwords").

HTH.

View solution in original post

woodcock
Esteemed Legend

Check out the latest Palo Alto app (v5 I think). It uses a new credential encryption approach and has been cloud certified.

0 Karma

Simon
Contributor

From my point of view, the "Storage Passwords" endpoint and passwords.conf is still the state of the art to store credentials encrypted. Even the JS stack has been updated to provide APIs to work with. Even if it's quite old, it works quite well. By the way, there is no requirement to use setup.xml to manage the credentials as the API provides enough tools to manipulate the entries. Also, I think setup.xml isn't allowed anymore to get certified. A good resource to build custom setup pages is the Addon Builder app (https://splunkbase.splunk.com/app/2962/). Overall, the Dev Page has a lot information too regarding credential management: http://dev.splunk.com/view/javascript-sdk/SP-CAAAEJ8 (Section "Storage passwords").

HTH.

cschmidt_hurric
Path Finder

Thanks. This helped a lot.

0 Karma

mrgibbon
Contributor

Im looking into this myself, and I stumbled upon this, it might give you another avenue to stroll down:
https://www.vaultproject.io/

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...