DS-06 Data Security & Protection
Secrets / API Key & Token Management
Secrets are vaulted, rotated and never hardcoded.
- Domain
- Data Security & Protection
- Control type
- Preventive/Detective
- Automated / manual
- Hybrid
- Frequency
- Continuous
- Framework reference
- MAS TRM – Data; OWASP
What good looks like
API keys/tokens/secrets held in a vault, access-controlled, rotated, never committed to code.
Risk if it fails
Credential leakage and unauthorised access.
How Tess tests it
4 tests — each concludes only on cited evidence.
Secrets-management policy (no hardcoding)
Design- Procedure
- Inspect the policy.
- Expected
- Defined and approved.
- Sample
- 1 (design inspection)
- Evidence
- Vault config, repo secret-scan results, rotation evidence.
Secrets vaulted and access-controlled
Operating- Procedure
- Inspect the vault.
- Expected
- Centralised and restricted.
- Sample
- 25 (or full config inspection)
- Evidence
- Vault config, repo secret-scan results, rotation evidence.
No secrets in source/config
Operating- Procedure
- Run/inspect repo secret scans.
- Expected
- Zero leaked secrets.
- Sample
- 25 (or full config inspection)
- Evidence
- Vault config, repo secret-scan results, rotation evidence.
Keys/tokens rotated
Operating- Procedure
- Inspect rotation.
- Expected
- Rotation occurs per policy.
- Sample
- 25 (or full config inspection)
- Evidence
- Vault config, repo secret-scan results, rotation evidence.
Evidence Tess looks for
Vault config, repo secret-scan results, rotation evidence.
More in Data Security & Protection
Want Tess to test DS-06 against your evidence?
Book a demo