In the latest video of our Security Culture series we talk about handling secrets. You can also listen in on our podcast.

What Is a Secret

What is a secret? In this context, a secret could be any of the following:

  • A database password
  • An SSH Key
  • A private key
  • An API Key
  • An AWS Secret
  • A user’s password

We’re talking about anything that is used in a running system as a way to prove that you are who you say you are.

Externalize Secrets

We never want secrets to be in our source code. For one thing, once they are in a SCM system like GitHub, it is very difficult to remove them. For another, we typically allow a lot more people to see the secrets in a place like GitHub than we really want. Finally, if a secret lives in GitHub (or any other SCM), it makes it harder to change when someone leaves.

We need to be able to really keep secrets secret!

We also really need to be able to change them easily.

Typically a way to do this is to externalize them - meaning look them up from somewhere outside of your system. That could be something like secrets manager or parameter store, HashiCorp Vault, or something else. We’ve seen people use tools to encrypt the secrets they store in GitHub (or their SCM).

Check For Secrets

The easiest way to make sure we don’t have secrets in our source code, is to go looking for them. As developers, we know as we read code and set up a project what the secrets are and how we get to them.

In addition to code review, we can find secrets in our code with tools like trufflehog or dumpster diver that look for entropy. We can also use something like Crush, Glue with SFL or even Grep for predefined secret names you want to watch out for.

If we want to get fancy, we can put that in a precommit hook so that we find it before it gets pushed to source control.

Conclusion

Keep secrets out of your source code.

We recommend:

  1. Reviewing code for secrets
  2. Externalizing secrets
  3. Having automation to check for new secrets

References

Matt Konda

Matt is a software engineer. He's our CEO and former Chair & OWASP Board Member.

Want to stay up to date with the lastest from Jemurai?

Sign up for our monthly newsletter!