In the latest video of our Security Culture series we talk about handling secrets. You can also listen in on our podcast.
What is a secret? In this context, a secret could be any of the following:
- A database password
- An SSH Key
- A private key
- An API Key
- An AWS Secret
- A user's password
We're talking about anything that is used in a running system as a way to prove that you are who you say you are.
externalize secrets
We never want secrets to be in our source code. For one thing, once they are in a SCM system like GitHub, it is very difficult to remove them. For another, we typically allow a lot more people to see the secrets in a place like GitHub than we really want. Finally, if a secret lives in GitHub (or any other SCM), it makes it harder to change when someone leaves.
We need to be able to really keep secrets secret!
We also really need to be able to change them easily.
Typically a way to do this is to externalize them - meaning look them up from somewhere outside of your system. That could be something like secrets manager or parameter store, HashiCorp Vault, or something else. We've seen people use tools to encrypt the secrets they store in GitHub (or their SCM).
check for secrets
The easiest way to make sure we don't have secrets in our source code, is to go looking for them. As developers, we know as we read code and set up a project what the secrets are and how we get to them.
In addition to code review, we can find secrets in our code with tools like trufflehog or dumpster diver that look for entropy. We can also use something like Crush, Glue with SFL or even Grep for predefined secret names you want to watch out for.
If we want to get fancy, we can put that in a precommit hook so that we find it before it gets pushed to source control.
conclusion
Keep secrets out of your source code.
We recommend:
- Reviewing code for secrets
- Externalizing secrets
- Having automation to check for new secrets
references
- Glue - Swiss army knife of code tools
- Crush
- Secrets Manager
- Parameter Store
- Vault
- Mozilla SOPS
- TruffleHog
- DumpsterDiver