When it comes to developing applications, there’s often a lot of sensitive information involved such as API keys, security certificates and credentials. These ‘secrets’ provide access to external systems and services so are very sensitive . However because they are used programmatically, there’s a need to distribute this information to developers, applications and infrastructure.
This often results in “Secret Sprawl,” a scenario where you can hardly keep track of who has access to particular pieces of sensitive information. It’s not a far-fetched situation since modern day software development can be quite distributed, and code gets backed up and shared in messaging tools, repositories, etc., making it quite leaky.
Additionally, Git repositories can be tricky seeing as a secret’s footprint can remain in the history even after updating the application. It is also quite difficult to monitor activity regarding code sharing. Uber and the Indian government are some of the entities that have been victims of secrets leaking through GitHub repositories and other avenues.
Secrets are commonly found hard-coded into applications, in .env files, configuration files, debug logs, infrastructure setup, JSON files, property files, XML, YAML and TypeScrip files, etc. Attackers are known to usually set up workflows to regularly monitor public spaces and automatically attempt to exploit anything that looks like a key.
It is important to always take care when manipulating credentials in software. This includes not hardcoding secrets directly into source code, using environment variables where possible and not adding automated files like debug logs into a git repository. ,. Code reviews are usually oriented towards discovering flaws in logic so they can miss certain commits that contain your secrets.
There are a number of ways in which you can code securely and prevent secrets from leaking such as:
Furthermore, when you create credentials, do not put them in to_do.txt or creds.txt files and do not share them through messaging systems. Use only those that you need and avoid re-using .env files.
When it comes to Git usage, always have a proper .gitignore file for your projects that restricts certain files from making it into your repository. Avoid using wild card commands like git add . when possible. Try to commit as regularly as possible to avoid capturing a lot of secrets.
Where appropriate, use secrets managers like Hashicorp Vault and AWS KMS, and encrypt secrets when sharing them.
Use pre-commit hooks to search your commits for secrets and prevent them from being committed.
Before DevBreak is a series of live, online, tech talks. Each session features a senior tech expert from an innovative company, who demonstrates how they solved major programming challenges in their business. This series is part of DevBreak, the ultimate 2-day tech festival organised by talent.io.
talent.io is Europe's leading selective recruitment platform which has over €10m fund raised and is over 170 employees strong. We help great companies build great tech teams, in the simplest way: selected companies apply directly to vetted candidates. We cover most tech roles (software engineers, data scientists, product managers, DevOps engineers, CTOs). Our platform is open to permanent positions as well as freelance assignments, both on-site and remote.