on 07-May-2019 23:00
It's an easy mistake, but you'll only make it once: accidentally uploading your secrets to Github. What do you do now?
Sometimes as developers we want to put secrets (credentials, usernames, passwords, license keys, etc) in our code. We know we should follow best practices but sometimes we cut corners. This is what leads to many breaches.
An example: Your app in AWS needs read-only access to content in an AS3 bucket. You may be tempted to create an IAM user and put the credentials of this user into your app's code. Maybe you put them in a config file outside of your project. Or maybe you use .gitignore so that this file is never committed.
This is a dangerous practice because as long as your secret is not encrypted, you're in danger of accidentally committing it, and accidentally sharing that with your team - or worse, the whole Internet. There's a ton of examples of devs accidentally uploading their AWS or Azure keys to Github - guess what happens next? Hackers log into your AWS or Azure account using your credentials.
How do you "accidentally" upload your secrets by committing them in your code? It's easier than you think.
Here's an example from my own life: I was tasked with deploying VM's to Azure. My automated scripts to deploy required a Service Principal. It was very tempting to put the secret for this Service Principal in my script, since it was normally run locally on my machine. This meant that if I ever shared my script, I would also be sharing my secrets. Not good.
However, I can also store secrets securely and automate my deployments. In my case, I used Azure's KeyVault service, where I would store and then retrieve a secret at the time of deployment. With this configured, I could confidently share my code without fear, because to run the script successfully, access to the secret in KeyVault was required. Another user could develop with the script, using their own secrets. Much safer.
Here's some other common ways that secrets are accidentally shared with the world:
Hackers scan sites like GitHub and pastebin and look for well-known types of secrets, like AWS keys and Azure ServicePrincipal secrets. Hackers will scan, discover, and attempt to exploit your shared passwords in seconds or minutes after you accidentally upload them.
Below I have collated a few recommendations to remember when dealing with secrets in your application.
I'd love to hear what you are doing to protect yourself against your own future accidents - specifically at the intersection of secrets in code, source control, and accidents. Please share tips, advice, and recommendations!
Here are some related links from AWS and Github on this:
https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html
https://aws.amazon.com/blogs/security/what-to-do-if-you-inadvertently-expose-an-aws-access-key/
https://help.github.com/en/github/authenticating-to-github/removing-sensitive-data-from-a-repository
If you commit sensitive data, such as a password or SSH key into a Git repository, you can remove it from the history. To entirely remove unwanted files from a repository's history you can use either the git filter-branch command or the BFG Repo-Cleaner open source tool.