Security's Missing Link in Network Automation

Summarizing John Howard's practical security guidance from AutoCon3

"Hello, darkness, my old friend," joked John Howard from Proton, pointing to the familiar SSL certificate warning dialog. "This button is so tempting, but it's the wrong one."

His lightning talk tackled a critical but often overlooked aspect of network automation: security practices that protect credentials, certificates, and sensitive data from exposure.

The Uncomfortable Reality Check

Howard started with an audience survey that revealed an uncomfortable truth:

  • Vault instances: Many organizations have them

  • Actually using Vault: Far fewer hands stayed up

  • Internal PKI: Some organizations have it

  • Actually using internal PKI: Even fewer hands

This gap between security infrastructure and practical usage drives dangerous shortcuts in automation workflows.

The Slippery Slope of Security Compromises

Working at Proton—a company that "lives and breathes encryption"—Howard sees security anti-patterns everywhere:

Hard-coded credentials: Passwords and IP addresses buried in Python scripts Certificate verification bypassing: verify=False because "it's HTTPS anyway" Warning suppression: Turning off SSL warnings to clean up output Magic comments: # noqa and "sorry security team" comments to bypass security scanners

"Every single one of those verifiable false statements is a gift to a ransomware attacker," he warned.

Git Never Forgets

The persistence of version control creates lasting security risks. Howard recommended TruffleHog for scanning repositories: "You'll be amazed at what you find buried inside your repos."

His personal anecdote illustrated the point: "When I uploaded private keys to Git during a demo, I got an email in five minutes asking if I was sure. Yes, because it's not real—but the scanning infrastructure exists and works."

Man-in-the-Middle Reality

Bypassing certificate verification enables trivial attacks: "This is what a man-in-the-middle proxy looks like—it's one binary. Anybody can now read that password you sent."

The solution isn't complex—it's using proper certificate authorities and verification—but requires systematic implementation rather than shortcuts.

Practical Solutions: Vault and OpenBao

Rather than theoretical security advice, Howard provided hands-on guidance using HashiCorp Vault (or the open-source OpenBao alternative for those preferring fully open solutions).

His GitHub repository provides a practical technical showcase—not theoretical documentation, but working examples of:

  • API-driven certificate authority: Root CA and issuing CA setup

  • Key-value secret storage: Programmatic access in CI/CD pipelines

  • Certificate lifecycle management: Automated issuance and deployment

  • Container Lab integration: Testing environment for validation

Certificate Authority Implementation

The demo showed end-to-end certificate management:

Bootstrap Process: Terraform deployment creating vault policies, key-value stores, root CA, issuing CA, and workflow components

Certificate Generation: Automated playbook that fetches environment metadata, creates certificates via Vault API, and stores them securely

Deployment Automation: Separate playbook retrieves certificates from Vault, generates configuration templates, and deploys to devices

Important Detail: GNMI and JSON-RPC configuration happen separately—"you don't want to cut off the branch upon which you sit" by changing GNMI while configuring GNMI.

Before and After Results

The transformation was visible:

  • Before: SSL warnings, untrusted certificates, manual verification bypassing

  • After: Fully qualified domain names, proper certificate trust, no warnings

"Great success," Howard deadpanned, showing clean connection outputs.

Encryption as a Service

Beyond certificate management, Howard demonstrated Vault's encryption-as-a-service feature for protecting data in transit:

The Problem: Messages flowing through NATS (think Kafka but different) in plaintext, visible to anyone with network access

The Solution: Two simple functions—encrypt before sending, decrypt after receiving

The Result: "The guy in the hoodie with energy drinks can't see your messages anymore because it's encrypted. The authorized recipient can. Congratulations—you've just encrypted in transit without really doing anything other than deploying two functions."

Development Reality Check

Howard was honest about the implementation experience: "To get to that point where Terraform showed 'apply 12 added, everything green,' it was probably 200 failed attempts. That's automation today—that's what we're all trying to fix. Failure is part of creation, embrace it."

This acknowledgment of iteration and debugging normalizes the learning process for security implementation.

Beyond Basic Features

Howard concluded by noting that Vault offers many capabilities beyond basic secret storage that most organizations don't explore. His repository provides starting points for discovering these features in practical contexts.

Why This Matters

Security often gets treated as an afterthought in automation projects, leading to technical debt and real vulnerabilities. Howard's presentation addresses this by:

Making Security Practical: Providing working examples rather than theoretical guidance Addressing Real Pain Points: Acknowledging why people take shortcuts and offering better alternatives Integration Focus: Showing how security integrates with existing automation workflows Honest Implementation: Acknowledging the learning curve while providing concrete steps forward

The Broader Security Message

Network automation without proper security creates systematized vulnerabilities—insecure practices get codified and replicated across infrastructure. Howard's work demonstrates that secure automation isn't significantly harder than insecure automation; it just requires different initial choices and proper tooling.

For organizations building automation pipelines, his repository offers a practical starting point for implementing security properly from the beginning rather than retrofitting it later.

As automation scales and becomes more critical to network operations, security can't remain an afterthought. Howard's practical guidance provides a path forward for building trustworthy, secure automation systems.


Watch the full lightning talk: Pls stop exposing your... secrets

Chris Grundemann

Executive advisor. Specializing in network infrastructure strategy and how to leverage your network to the greatest possible business advantage through technological and cultural transformation.

https://www.khadgaconsulting.com/
Previous
Previous

Fine-Tuning LLMs for Network Configuration Intelligence

Next
Next

Escaping the Screen Scraping Trap with BGP Monitoring Protocol