How I Think About Secure Backend Integrations

Security in backend integrations usually fails at the boring edges: a token that never rotates, a logging line that prints a header, an IAM role that was "temporary."

My mental model

I think of every integration as three concentric rings:

1. The secret itself — API key, private key, DB password.
2. The identity the secret proves — what role/principal/service.
3. The scope that identity is bound to — what resources, what actions, for how long.

Every incident I've seen was a collapse of ring 2 or ring 3, not ring 1. The secret didn't leak; the scope was too wide.

Default stance

• Every secret comes from a vault (Secrets Manager, Parameter Store, Vault). No .env committed, no secrets in CI logs.
• Every identity is scoped to the narrowest resource + action that makes the feature work. If I can't articulate the scope in one sentence, it's too broad.
• Every token rotates. If rotation is "hard," that's a design bug, not an ops bug.

The line that saves you

The single most underrated security practice is: log identities, not secrets, and log scope decisions at the point they're made.

logger.info(
    "crm.lookup authorized",
    extra={
        "principal": principal.id,
        "scope": ["crm:read:customer"],
        "resource": f"customer:{customer_id}",
        "reason": "fulfillment handler",
    },
)

When something goes wrong at 2am, you'll want to know which identity did what. You will never want the secret in the log.