Fortunate developers who are still unaffected by security incidents may wonder what the fuss over application secrets inside the source code is all about. There seems to be definite advantages in keeping secrets with the code. Everything is just easier. The VCS commit log gives you auditability for free, there is no additional infrastructure, there are no secret distribution hiccups between the developers and secret rotation is a non-issue.
There are many options for separating secrets from the source code but very little agreement. At least one point most security conscious developers agree on is this: Never store plaintext secrets inside the source code.
Never store plaintext secrets inside the source code.
The core reason is that once you have access to the source code you also have access to the secrets and they provide access to your database, infrastructure and third party services.
Modern code bases travel far and wide. Even “private” repos do. The developers all have at least one copy on their laptops, distributed version control makes it trivial to share it with anyone with a passing interest and lots of external services have access, from essentials like repo hosting services and continuous integration to gimmicks that populate the bug tracker with cute badges.
… once you have access to the source code you also have access to the secrets …
The reason stated above may seem slightly academic but both the developers and the company will face some concrete problems when secrets remain within the source code.
- When development and production secrets are all inside the code it is a matter of time until someone accidentally uses the wrong environment’s secrets and tests the incomplete DELETE feature on the production data.
- When you lose control over your source repo you simultaneously lose control of all your secrets. Even if you absolutely trust the multitude of external providers to never abuse your secrets, they will eventually get compromised and your secrets will be in some unknown entities’ possession.
- The secrets could provide clues to more ways of compromising your company’s data.
- Unauthorised access to your data can lead to lost user trust, financial loss and legal problems.
- Unauthorised access to your API keys enables impersonation of your company, running up bills with the service providers and access to your data residing on their servers.
- You will fail regulated industries’ compliance tests.
Most websites do not require financial industry level security but all websites need more security than storing unencrypted passwords in the source code.