Infra

You can use retrieval augmented generation (RAG) to refine and improve the output of a large language model (LLM) without retraining the model. However, many data sources include sensitive information, such as personal identifiable information (PII), that the LLM and its applications should not require or disclose — but sometimes they do. Sensitive information disclosure is one of the OWASP 2025 Top 10 Risks & Mitigations for LLMs and Gen AI Apps. For example, an LLM may leak sensitive information when a user asks a question that requires that information in response. After the retrieval engine gets sensitive information and provides it to the LLM as context, the LLM generates a response without disclosing it. However, a user may ask a more specific question that relates to sensitive information and the LLM responds with it in its context. To mitigate this concern, OWASP recommends data sanitization, access control, and tokenization. ...

In an era of accelerating regulatory scrutiny, organizations must ensure that their cryptographic infrastructure meets the appropriate standards of security and compliance. One of the key standards in the U.S. is the Federal Information Processing Standard (FIPS) 140-3, which defines the requirements for cryptographic modules used by federal agencies and contractors. HashiCorp Vault, a leader in secrets management and data protection, now supports FIPS 140-3 level 1 in version 1.19.4. This advancement enables organizations to modernize their security posture while meeting the latest compliance mandates. ...

Following the public beta release last year, HCP Waypoint actions are now generally available. Actions enable platform teams to expose Day 2+ operations and workflows — such as rollbacks, build promotions, and more — to developers as push-button tasks. With actions, platform teams define and govern reusable workflows, while developers trigger them directly from HCP Waypoint. HCP Waypoint actions HCP Waypoint is designed to help platform teams define golden patterns and workflows that developers can use to ship applications at scale. HCP Waypoint actions provide a push-button experience to enable Day 2+ operations such as build promotions, rollbacks, and modifying feature flags. Actions make it easier for platform teams to enable self-service, Day 2+ golden workflows for developers. ...

Enterprises are struggling to protect their hybrid cloud infrastructure from security risks due to misconfigurations and lack of proper guardrails throughout its lifecycle. HashiCorp’s Infrastructure Lifecycle Management (ILM) portfolio automates how companies build, deploy, and manage their infrastructure over time, ensuring that developers can move fast while always using the approved approach with governance baked in. As organizations scale their IT estates, infrastructure automation becomes even more critical. With scale comes the challenge of balancing developer agility with the security and compliance needs of the organization. Infrastructure lifecycle management (ILM) helps make the secure, cost-effective approach the simplest path for developers. ...

At HashiDays, we are sharing the recent general availability of Security Lifecycle Management (SLM) products and features that further reduce security risks and dramatically improve the user experiences for developers, SecOps, and platform teams. These include HCP Vault Radar, automatic root credential rotation with HashiCorp Vault, Boundary transparent sessions, and Consul external service discovery. Seamless user experience with Boundary transparent sessions HashiCorp Boundary provides secure human-to-machine access for sensitive applications. This includes: ...

Terraform migrate is a command-line tool that simplifies the process of migrating your Terraform state and configuration from Terraform Community Edition to HCP Terraform and Terraform Enterprise. Previously, Terraform migrate supported only CLI-driven Terraform workflows. With the release of Terraform migrate 1.1, you can now create and configure HCP Terraform and Terraform Enterprise workspaces linked to GitHub or GitLab repositories as part of your migration configuration. This enables automated runs via the version control system workflow, which provides stronger alignment with GitOps practices. ...

As AI continues to evolve and integrate into various industries, the need for secure and efficient management of credentials becomes increasingly critical. AI workloads often involve accessing sensitive data and resources, making robust security measures essential to prevent unauthorized access and ensure compliance. HashiCorp Vault offers a powerful solution for dynamic credential management, particularly within the Google Cloud Platform (GCP). By leveraging the Google Cloud Vault secrets engine, organizations can generate short-lived, temporary credentials that automatically expire, significantly reducing the risk of credential misuse. This dynamic approach eliminates the reliance on static, long-lived credentials, which are more vulnerable to security breaches. ...

Building on our recent release of pre-written Sentinel policies for Center for Internet Security (CIS) standards, which has already surpassed 550K downloads, we’re proud to announce the release of a new set of pre-written Sentinel policies for AWS. These new policy sets aim to lower the barrier of adoption for policy as code and help organizations meet AWS Foundational Best Security Practices (FSBP). The FSBP Sentinel policies are co-created and co-owned by HashiCorp and AWS, and are now available for use in the Terraform registry. ...

As organizations scale, so does the surface area of risk, driven by the growing volume of code, systems, and users interacting across distributed environments. Beyond traditional security concerns, teams are now responsible for managing sensitive data in all its forms. This includes secrets, personally identifiable information (PII), which, unlike secrets, can’t be rotated or changed, and addressing non-inclusive language (NIL) that poses both brand and retention risks. These challenges are especially relevant in industries with strict security, compliance, and governance requirements. ...