In episode 104 of the Cybersecurity Minute, Rob Wood builds on one of his recent analyses by explaining how to handle hard-coded secrets.
This episode is sponsored by “Selling to the New Executive Buying Committee,” an Acceleration Economy Course designed to help vendors, partners, and buyers understand the shifting sands of how mid-market and enterprise CXOs are making purchase decisions to modernize technology.
Highlights
00:40 — Hard-coded secrets have been a hot topic since the software development boom, with cloud services taking off. Now, as more code is open source, disclosures are being made into the public arena that could be damaging.
Which companies are the most important vendors in cybersecurity? Check out
the Acceleration Economy Cybersecurity
Top 10 Shortlist.
01:19 —You might have an application programming interface (API) token or a special URL that lets you access back-end functionality. It might be another credential, database, connection, or string. You don’t want to see that kind of information leaked.
01:36 — It’s important to get some kind of technology, step, or stage in place in your continuous integration/continuous deployment (CI/CD) pipeline to test for that kind of thing before your code gets merged. But if you have one of those leaks and don’t rotate the secret, it will still be in version control.
02:12 — You have to close the loop so that even if somebody goes back in the version history and finds it, they won’t be able to take advantage of it. Just cleaning up the mess from the point that it was identified onward does not actually address the root of the issue.
