Potential keys or passwords are visible/hardcoded

Secrets such as API keys, tokens and passwords should be kept in a safe place, and moreover - not be plainly visible or hardcoded.

As secrets hold access rights to a multitude of services, data stores, file storage, and more, it is a high-profile and sought-after piece of sensitive information in hacker communities.

Even if secrets are RBAC or minimal-access based, once these are exposed, you still have a tiring job of tracing, locating, rotating, and observing the implication of rotating such secrets. Keeping them stored safely and securely minimizes your productivity loss.

Problem

API keys, tokens, or passwords are hardcoded or exposed in configuration files, infrastructure code, or business services.

Fix

Infrastructure

  1. Use a cloud-native secret store, such as AWS Secrets Manager
  2. Use a dedicated vault product, such as:
    1. CyberArk Vault
    2. Hashicorp Vault
  3. Removing hardcoded secret/password from the source is not drawing it from the repository history. We strongly recommend changing the secret/password that was exposed.

Architecture

  1. Prefer a 12-factor architecture
  2. Use secret-loading libraries like .env for your specific tech stack

See