With WebAuthN it should be possible to require that credentials are frequently refreshed, which can only be done on the original device. mTLS has similar properties.
You can also require an authentication loop for each major service, so only services the developer is authenticated to would be vulnerable to credential stealing.
And for critical infrastructure network security would help (e.g. a vpn). With hardware tokens required to initiate the connection, the attacker wouldn’t be able to spin up their own connection.
Finally, access to user secrets shouldn’t be a default level of access for engineers. Instead, that should require a break glass escalation of privileges, reducing the risk of pilfering.
You can also require an authentication loop for each major service, so only services the developer is authenticated to would be vulnerable to credential stealing.
And for critical infrastructure network security would help (e.g. a vpn). With hardware tokens required to initiate the connection, the attacker wouldn’t be able to spin up their own connection.
Finally, access to user secrets shouldn’t be a default level of access for engineers. Instead, that should require a break glass escalation of privileges, reducing the risk of pilfering.