Interview › Security & DevSecOps
What is the difference between static and dynamic secrets? [Intermediate]
Answer
A static secret is created in advance and remains valid until manually changed or rotated. A dynamic secret is generated when requested, has a lease, and can be revoked automatically. Dynamic secrets are safer for systems that support just-in-time credential creation.
Technical explanation
Static secrets are simpler but create long-lived blast radius and rotation burden.
Dynamic secrets reduce credential reuse and support automated expiry.
Not every integration supports dynamic credentials, so teams often combine static secrets with rotation and dynamic secrets where possible.
Hands-on example
Example: a third-party API key may be static and stored in Vault KV with rotation reminders. A PostgreSQL credential can be dynamic through Vault's database engine, issued per workload for 1 hour and revoked after use.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]