- user name / password
- database connection strings
- TLS Certificate / Key
- Application specific content , etc...
Configurations of any kind (.ini, .yaml, .xml, etc ..), even the OS configuration for application tuning, MUST be versioned and most of the time the packaging bundles the application with specific configuration, this is not a good practice.
Storing secrets in build time is a big flaw. Likewise storing secrets in ENV's is also a security issue.
Secrets better be on a separate service, from which applications pull specific version of relevant secret data.
Storing secrets in build time is a big flaw. Likewise storing secrets in ENV's is also a security issue.
Secrets better be on a separate service, from which applications pull specific version of relevant secret data.
References
AWS, EC2 Container
https://blogs.aws.amazon.com/security/post/Tx2B3QUWAA7KOU/How-to-Manage-Secrets-for-Amazon-EC2-Container-Service-Based-Applications-by-Usi
AWS, EC2 Container
https://blogs.aws.amazon.com/security/post/Tx2B3QUWAA7KOU/How-to-Manage-Secrets-for-Amazon-EC2-Container-Service-Based-Applications-by-Usi
https://infinum.co/the-capsized-eight/articles/hiding-secrets-in-vault
Why secrets store / vault do not have user interface???
https://feedback.azure.com/forums/170024-additional-services/suggestions/12370134-please-consider-user-interface-for-azure-key-vault
Azure Key Vault ( KV)
https://blogs.technet.microsoft.com/kv/
Android Key Store
https://developer.android.com/training/articles/keystore.html
Distelli
https://www.distelli.com/blog/keeping-your-application-secrets-safe
https://www.distelli.com/docs/kb/using-secure-package-with-secrets
Update:
Referenfce : https://changelog.com/podcast/239
No comments:
Post a Comment