Security's Missing Link in Network Automation
Summarizing John Howard's practical security guidance from AutoCon3
"Hello, darkness, my old friend," joked John Howard from Proton, pointing to the familiar SSL certificate warning dialog. "This button is so tempting, but it's the wrong one."
His lightning talk tackled a critical but often overlooked aspect of network automation: security practices that protect credentials, certificates, and sensitive data from exposure.
The Uncomfortable Reality Check
Howard started with an audience survey that revealed an uncomfortable truth:
Vault instances: Many organizations have them
Actually using Vault: Far fewer hands stayed up
Internal PKI: Some organizations have it
Actually using internal PKI: Even fewer hands
This gap between security infrastructure and practical usage drives dangerous shortcuts in automation workflows.
The Slippery Slope of Security Compromises
Working at Proton—a company that "lives and breathes encryption"—Howard sees security anti-patterns everywhere:
Hard-coded credentials: Passwords and IP addresses buried in Python scripts Certificate verification bypassing: verify=False because "it's HTTPS anyway" Warning suppression: Turning off SSL warnings to clean up output Magic comments: # noqa and "sorry security team" comments to bypass security scanners
"Every single one of those verifiable false statements is a gift to a ransomware attacker," he warned.
Git Never Forgets
The persistence of version control creates lasting security risks. Howard recommended TruffleHog for scanning repositories: "You'll be amazed at what you find buried inside your repos."
His personal anecdote illustrated the point: "When I uploaded private keys to Git during a demo, I got an email in five minutes asking if I was sure. Yes, because it's not real—but the scanning infrastructure exists and works."
Man-in-the-Middle Reality
Bypassing certificate verification enables trivial attacks: "This is what a man-in-the-middle proxy looks like—it's one binary. Anybody can now read that password you sent."
The solution isn't complex—it's using proper certificate authorities and verification—but requires systematic implementation rather than shortcuts.
Practical Solutions: Vault and OpenBao
Rather than theoretical security advice, Howard provided hands-on guidance using HashiCorp Vault (or the open-source OpenBao alternative for those preferring fully open solutions).
His GitHub repository provides a practical technical showcase—not theoretical documentation, but working examples of:
API-driven certificate authority: Root CA and issuing CA setup
Key-value secret storage: Programmatic access in CI/CD pipelines
Certificate lifecycle management: Automated issuance and deployment
Container Lab integration: Testing environment for validation
Certificate Authority Implementation
The demo showed end-to-end certificate management:
Bootstrap Process: Terraform deployment creating vault policies, key-value stores, root CA, issuing CA, and workflow components
Certificate Generation: Automated playbook that fetches environment metadata, creates certificates via Vault API, and stores them securely
Deployment Automation: Separate playbook retrieves certificates from Vault, generates configuration templates, and deploys to devices
Important Detail: GNMI and JSON-RPC configuration happen separately—"you don't want to cut off the branch upon which you sit" by changing GNMI while configuring GNMI.
Before and After Results
The transformation was visible:
Before: SSL warnings, untrusted certificates, manual verification bypassing
After: Fully qualified domain names, proper certificate trust, no warnings
"Great success," Howard deadpanned, showing clean connection outputs.
Encryption as a Service
Beyond certificate management, Howard demonstrated Vault's encryption-as-a-service feature for protecting data in transit:
The Problem: Messages flowing through NATS (think Kafka but different) in plaintext, visible to anyone with network access
The Solution: Two simple functions—encrypt before sending, decrypt after receiving
The Result: "The guy in the hoodie with energy drinks can't see your messages anymore because it's encrypted. The authorized recipient can. Congratulations—you've just encrypted in transit without really doing anything other than deploying two functions."
Development Reality Check
Howard was honest about the implementation experience: "To get to that point where Terraform showed 'apply 12 added, everything green,' it was probably 200 failed attempts. That's automation today—that's what we're all trying to fix. Failure is part of creation, embrace it."
This acknowledgment of iteration and debugging normalizes the learning process for security implementation.
Beyond Basic Features
Howard concluded by noting that Vault offers many capabilities beyond basic secret storage that most organizations don't explore. His repository provides starting points for discovering these features in practical contexts.
Why This Matters
Security often gets treated as an afterthought in automation projects, leading to technical debt and real vulnerabilities. Howard's presentation addresses this by:
Making Security Practical: Providing working examples rather than theoretical guidance Addressing Real Pain Points: Acknowledging why people take shortcuts and offering better alternatives Integration Focus: Showing how security integrates with existing automation workflows Honest Implementation: Acknowledging the learning curve while providing concrete steps forward
The Broader Security Message
Network automation without proper security creates systematized vulnerabilities—insecure practices get codified and replicated across infrastructure. Howard's work demonstrates that secure automation isn't significantly harder than insecure automation; it just requires different initial choices and proper tooling.
For organizations building automation pipelines, his repository offers a practical starting point for implementing security properly from the beginning rather than retrofitting it later.
As automation scales and becomes more critical to network operations, security can't remain an afterthought. Howard's practical guidance provides a path forward for building trustworthy, secure automation systems.
Watch the full lightning talk: Pls stop exposing your... secrets