I work at a mid-sized payments company that has grown through acquisitions, resulting in a production environment that's a bit of a patchwork. We've got our own key rotation process for the services we build, and while it generally holds up during audits, the reality is that we have a lot of temporary integrations that have become permanent due to our busy schedules.
Recently, during a routine access review—something I undertook to avoid surprises during our renewal season—I discovered an active API key for one of our core services. This key has valid permissions but shockingly, it wasn't listed in our rotation schedule or any of the reliable internal documentation I typically trust.
The key didn't seem new or malicious, which raised concerns because it had slipped through multiple cleanup efforts unnoticed. Tracing it back revealed it was part of a vendor integration that started small but grew over time without triggering a proper review. Our recent switch from Panorays to Security Scorecard has made things more complicated, with the vendor's record looking clean enough that no one has questioned the relationship for months.
While I've asked around the company, the feedback has been vague, with people recalling bits and pieces but lacking concrete information. I'm looking for guidance on how to address this issue and fill in the gaps without pushback from others who may think it's trivial or pretend I'm making a big deal out of it.
5 Answers
If you’re faced with skepticism, try approaching your boss directly. Something like: 'Hey [Manager], I found something concerning regarding our API key situation. What would you like me to do about it?' They’ll decide if it merits action, and if not, at least document your findings and keep it in your records.
If I understand correctly, this is an internal API key, right? If so, can’t you automate a comparison of all issued keys against your rotation runbooks? It seems odd to do this review manually. Also, does your API Gateway identify the creator of the key? If there’s absolutely no link to an owner, you might consider revoking any orphaned keys! There are a lot of important questions raised here.
I don’t get why anyone would say you’re making an issue up. The key exists, it needs to be documented, and it should be rotated according to schedule. You’re just working toward compliance, and if there's any resistance, it's their responsibility to either accept the risk or get the team compliant.
Typically, security and governance teams in Fintech have more influence. If you’re not a part of that team, bring this up to them; they’ll likely want to handle it. If you are, your management will want it addressed, so let them follow up.
It's smart to have a policy ready for handling newly discovered secrets like this. Given your company’s growth through acquisitions, expect more of these situations. Use this as an opportunity to set a solid process for the future.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures