- Популярные видео
- Авто
- Видео-блоги
- ДТП, аварии
- Для маленьких
- Еда, напитки
- Животные
- Закон и право
- Знаменитости
- Игры
- Искусство
- Комедии
- Красота, мода
- Кулинария, рецепты
- Люди
- Мото
- Музыка
- Мультфильмы
- Наука, технологии
- Новости
- Образование
- Политика
- Праздники
- Приколы
- Природа
- Происшествия
- Путешествия
- Развлечения
- Ржач
- Семья
- Сериалы
- Спорт
- Стиль жизни
- ТВ передачи
- Танцы
- Технологии
- Товары
- Ужасы
- Фильмы
- Шоу-бизнес
- Юмор
Secure by Design Protecting Java Applications with HashiCorp Vault and AI Code Assistants
Get started with Bob today → https://bob.ibm.com/download/?utm_source=bob-youtube
One prompt: "can you find any secret in the code?" Bob scans, finds three critical issues, then migrates every hardcoded secret into HashiCorp Vault — without breaking the running application.
In this IBM Dev Day session, Alex Soto walks through why environment variables, application.properties files, and even Kubernetes secrets aren't secure enough for production — then live-demos using IBM Bob with the Vault MCP server to detect hardcoded secrets, store them in Vault, and rewire a Quarkus application to pull secrets at runtime. No redeployment required.
🔹 What you'll learn:
— Why every common approach to secrets has problems: env vars leak to logs, strings stay in Java memory pools, Kubernetes secrets aren't encrypted by default in etcd
— The onion model of security: layered prevention, logging, and fast detection
— Secret stores vs. static secrets: runtime injection, auto-rotation, dynamic secrets, fine-grained access, and machine-based authentication
— HashiCorp Vault engines: key-value, TOTP, PKI, transit (encryption as a service), and dynamic secrets
— The Vault MCP server: how it gives Bob direct access to list, store, and manage secrets in a running Vault instance
— Live demo: Bob scans a Quarkus project, finds a hardcoded API key, stores it in Vault, adds the Quarkus Vault extension, rewires application.properties, and fixes the logging leak
— Custom modes for security workflows: when and why to create a dedicated security scan mode
— Shift-left security with AI: scan after you code, not at the end of the pipeline
📌 Key takeaway: No secret is the best secret. Dynamic secrets that no human ever sees, auto-rotate every 30 minutes, and get injected at runtime are fundamentally more secure than anything hardcoded. Bob + the Vault MCP server makes this workflow accessible to any developer — scan, detect, migrate, verify — without needing to be a security expert.
🔗 Try IBM Bob: ibm.com/bob
#IBMBob #HashiCorpVault #Secrets #Java #Quarkus #MCP #Security #ShiftLeft #DevDay #watsonx #IBM
0:00 — Introduction: Alex Soto on secrets and Java security
0:36 — What is a secret and why it matters
1:58 — No system is 100% secure — the onion model of layered protection
3:18 — The B minor secret: music theory meets security storytelling
5:45 — Secrets in applications: API keys, DB credentials, OAuth secrets
6:18 — Common approaches: env vars, application.properties, system properties, Kubernetes volumes
7:03 — Why all of these are problematic: git exposure, log leaks, Java string pooling
8:34 — Java's string pool: secrets always in the same memory location
8:52 — Kubernetes secrets: etcd not encrypted by default, keys and secrets on the same node
10:06 — The solution: secret stores with runtime injection
10:36 — Auto-rotation, auto-expiration, and auto-refresh without redeployment
11:35 — The chicken-and-egg problem: machine-based and Kubernetes-based authentication
12:34 — No secret is the best secret: dynamic secrets explained
12:55 — HashiCorp Vault: key-value, TOTP, PKI, transit, and dynamic secret engines
14:34 — Vault's language support: Quarkus Vault extension and Spring Data Vault
15:07 — The Vault MCP server: giving AI models access to Vault operations
16:30 — How MCP works: JSON-RPC remote function calls from the LLM to Vault
17:44 — Vault MCP server tools: secrets, PKI, certificates, mounts, and login
18:11 — Live demo begins: a Quarkus app with hardcoded secrets
21:08 — Asking Bob: "can you find any secret in the code?"
21:47 — Bob finds three critical issues: hardcoded API key, logged secret, unused import
22:33 — Switching to custom security migration mode
22:57 — Asking Bob to store secrets in Vault via MCP
23:40 — Bob's plan: inspect project, add Vault extension, store secrets, update config, verify
24:33 — Bob mounts secrets in Vault and rewires application.properties
25:23 — Task complete: hardcoded key replaced with Vault-backed config injection
26:16 — How it works: Quarkus connects to Vault at runtime, injects the secret
28:31 — Fixing the API key logging issue: Bob removes the leak
29:02 — Shift-left security: scan after coding, not at the end of the pipeline
29:40 — Greenfield and brownfield: works for new code and legacy projects
30:01 — Production considerations: Vault OIDC, external secrets, sealed secrets
30:17 — Closing: try Bob at bob.ibm.com
Видео Secure by Design Protecting Java Applications with HashiCorp Vault and AI Code Assistants канала Bob
One prompt: "can you find any secret in the code?" Bob scans, finds three critical issues, then migrates every hardcoded secret into HashiCorp Vault — without breaking the running application.
In this IBM Dev Day session, Alex Soto walks through why environment variables, application.properties files, and even Kubernetes secrets aren't secure enough for production — then live-demos using IBM Bob with the Vault MCP server to detect hardcoded secrets, store them in Vault, and rewire a Quarkus application to pull secrets at runtime. No redeployment required.
🔹 What you'll learn:
— Why every common approach to secrets has problems: env vars leak to logs, strings stay in Java memory pools, Kubernetes secrets aren't encrypted by default in etcd
— The onion model of security: layered prevention, logging, and fast detection
— Secret stores vs. static secrets: runtime injection, auto-rotation, dynamic secrets, fine-grained access, and machine-based authentication
— HashiCorp Vault engines: key-value, TOTP, PKI, transit (encryption as a service), and dynamic secrets
— The Vault MCP server: how it gives Bob direct access to list, store, and manage secrets in a running Vault instance
— Live demo: Bob scans a Quarkus project, finds a hardcoded API key, stores it in Vault, adds the Quarkus Vault extension, rewires application.properties, and fixes the logging leak
— Custom modes for security workflows: when and why to create a dedicated security scan mode
— Shift-left security with AI: scan after you code, not at the end of the pipeline
📌 Key takeaway: No secret is the best secret. Dynamic secrets that no human ever sees, auto-rotate every 30 minutes, and get injected at runtime are fundamentally more secure than anything hardcoded. Bob + the Vault MCP server makes this workflow accessible to any developer — scan, detect, migrate, verify — without needing to be a security expert.
🔗 Try IBM Bob: ibm.com/bob
#IBMBob #HashiCorpVault #Secrets #Java #Quarkus #MCP #Security #ShiftLeft #DevDay #watsonx #IBM
0:00 — Introduction: Alex Soto on secrets and Java security
0:36 — What is a secret and why it matters
1:58 — No system is 100% secure — the onion model of layered protection
3:18 — The B minor secret: music theory meets security storytelling
5:45 — Secrets in applications: API keys, DB credentials, OAuth secrets
6:18 — Common approaches: env vars, application.properties, system properties, Kubernetes volumes
7:03 — Why all of these are problematic: git exposure, log leaks, Java string pooling
8:34 — Java's string pool: secrets always in the same memory location
8:52 — Kubernetes secrets: etcd not encrypted by default, keys and secrets on the same node
10:06 — The solution: secret stores with runtime injection
10:36 — Auto-rotation, auto-expiration, and auto-refresh without redeployment
11:35 — The chicken-and-egg problem: machine-based and Kubernetes-based authentication
12:34 — No secret is the best secret: dynamic secrets explained
12:55 — HashiCorp Vault: key-value, TOTP, PKI, transit, and dynamic secret engines
14:34 — Vault's language support: Quarkus Vault extension and Spring Data Vault
15:07 — The Vault MCP server: giving AI models access to Vault operations
16:30 — How MCP works: JSON-RPC remote function calls from the LLM to Vault
17:44 — Vault MCP server tools: secrets, PKI, certificates, mounts, and login
18:11 — Live demo begins: a Quarkus app with hardcoded secrets
21:08 — Asking Bob: "can you find any secret in the code?"
21:47 — Bob finds three critical issues: hardcoded API key, logged secret, unused import
22:33 — Switching to custom security migration mode
22:57 — Asking Bob to store secrets in Vault via MCP
23:40 — Bob's plan: inspect project, add Vault extension, store secrets, update config, verify
24:33 — Bob mounts secrets in Vault and rewires application.properties
25:23 — Task complete: hardcoded key replaced with Vault-backed config injection
26:16 — How it works: Quarkus connects to Vault at runtime, injects the secret
28:31 — Fixing the API key logging issue: Bob removes the leak
29:02 — Shift-left security: scan after coding, not at the end of the pipeline
29:40 — Greenfield and brownfield: works for new code and legacy projects
30:01 — Production considerations: Vault OIDC, external secrets, sealed secrets
30:17 — Closing: try Bob at bob.ibm.com
Видео Secure by Design Protecting Java Applications with HashiCorp Vault and AI Code Assistants канала Bob
Комментарии отсутствуют
Информация о видео
22 июня 2026 г. 3:00:13
00:30:43
Другие видео канала
Unlock Insights Take Action with IBM Bob
Proactive secure coding
IBM Bob: Turning a Quarkus Application into an AI App
Java UI Modernization using Quarkus
IBM Bob Analyzes a 1980s RPG Application and Builds a Full Modernization Strategy
Implement a new feature
Squash security issues in your code
IBM Bob helps with AI-Assisted Secret Management with Hashicorp Vault
Lightning-Fast Liberty Migration with Bob
IBM Bob + Grounded Tools: Give Your Code Assistant Up-to-Date Documentation via MCP
IBM Dev Day Bob Edition Keynote
Customize IBM Bob with Custom Modes, MCP Servers and Rules
Beyond the spec Agentic engineering with IBM Bob
Build with Bob: NotebookLM Clone Part 1 (Intro)
IBM Bob for DevOps: Generate AWS Infrastructure as Terraform Code
From Diagram to deploy using bobshell
AI Accelerated Software Delivery Enterprise Java on Quarkus with LangChain4j and IBM Bob
Fast Path for Enterprise Java Application Modernization
IBM Bob: Automate Resilient Network Communications with Quarkus
Onboarding: Explain the architecture of this application
