Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Improving developers' usage of Postman:

    1. Developers should store secrets in Postman environment variables, instead of directly embedding them in the Collection’s request or code, in order to properly separate code/logic from secrets.

    2. Developers should leverage the “initial” and "current“ value functionality in order to avoid mistakenly sharing their own API key when sharing a Collection file.

      1. The "current” value should be used to store the developer’s own/private secrets, as "current“ values do not get shared as part of a Postman Collection or Environment.

      2. More details are available at https://blog.postman.com/how-to-use-api-keys/ .

    3. Developers should leverage the “secrets” variable type, in order to explicitly flag secrets in their Collections.

      1. Such secrets will also be masked when displayed on-screen.

      2. More details are available at https://blog.postman.com/introducing-secret-variable-type-in-postman/

  2. Setting up an "approved“ Postman workspace with secrets scanning:

    1. Provide developers with one or a few "approved“/official Postman cloud workspace(s) that they are expected join and use, when working with using Postman.

      1. This is to To ensure that there is a central location for all of the organization’s Postman Collections.

    2. Configure Postman’s token scanner functionality to enable Custom Alerts, in order to have it scan for your own organization’s secrets, within Postman Collections.

      1. More details are available at https://learning.postman.com/docs/administration/token-scanner/#custom-alerts .

  3. Being able to detect Postman secrets on employee laptops:

    1. To better understand usage and risk, consider leveraging existing endpoint security software to scan company-issued laptops for:

      1. Secrets embedded in Postman Collection files and Postman Environment files.

      2. Postman app installs that are not logged into the approved Postman workspace(s) within Postman cloud.