Build the future of communications.
Start Building for Free

Credentials posts

  • By Matthew Setter
    How to Manage Go Application Secrets Using Vault How to Manage Go Application Secrets Using Vault

    Because modern software is so complex it needs to use secrets and confidential information, such as API keys, tokens, and the older usernames and passwords for connecting to remote servers and databases.

    While once it might have been seen as okay to store these alongside the code itself, these days — especially in light of the 12-factor app movement — that's no longer the case. It's considered bad security practice — with good reason — to keep any kind of secure information within your code.

    Consequently, a range of approaches and tools have been developed to keep credentials out of code bases, keeping them secure and readily available to the code as and when required.

    In this tutorial, you're going to learn how to manage Go application secrets with HashiCorp Vault.

    If you're a PHP developer, check out the PHP version of this tutorial.

    Prerequisites

    To follow along …

    Read More
  • By Matthew Setter
    How to Manage Application Secrets With PHP Using Vault How to Manage Application Secrets With PHP Using Vault

    For far too many years, PHP developers stored application credentials and secrets, such as usernames, passwords, and API keys, alongside their code.

    While extremely convenient, this practice was a security nightmare just waiting to happen; if someone could access an application’s source code, they had access to all of its sensitive data too.

    Nowadays, this practice is nowhere near as common as it once was. Rather, it's now incredibly common to store credentials separately from code in dotenv files (.env) which makes them available as environment variables.

    However, while this is a significant improvement, this practice still isn't the best way to keep credentials and secrets secure. For example, if the .env file is accidentally committed to version control, then the credentials and secrets are once again stored alongside code.

    Alternatively, if a malicious actor can access the environment where an application is running from, they can access …

    Read More
  • By Laxman Eppalagudem
    Deadshot: Keep Sensitive Data Out of Code Deadshot Header Image

    Code is no place for credentials, secrets, SQL statements, or any kind of sensitive data. But everyone makes mistakes, and it’s important to be able to catch human errors before they create real problems.

    It is impossible to manually monitor any organization’s entire code base hoping to catch sensitive changes before they escape to live forever on Github. This is a problem every security team faces when dealing with product code.

    The Product Security team at Twilio needed an automated way to ensure that developers weren’t accidentally adding sensitive data to code repositories and to flag sensitive changes for a security review. We knew we couldn’t monitor all code manually. Our solution: an automated way to monitor GitHub repositories in real-time, catching any sensitive data at the pull request stage, flagging issues as well as changes to sensitive functionality for a manual review. Thus was born Deadshot – which we’re …

    Read More
  • By Laxman Eppalagudem
    Deadshot : conserver les données sensibles en dehors du code Deadshot : conserver les données sensibles en dehors du code

    Le code n'est pas un endroit sûr pour les informations d'identification, les clés secrètes, les instructions SQL ou autres types de données sensibles. Mais tout le monde fait des erreurs, et il est important de détecter les erreurs humaines avant qu'elles n'entraînent de vrais problèmes.

    Il est impossible de surveiller manuellement l'ensemble de la base de code d'une organisation dans l'espoir de détecter les changements sensibles avant qu'ils ne soient mis en service pour toujours sur Github. Il s'agit d'un problème auquel toutes les équipes de sécurité sont confrontées lorsqu'elles traitent le code produit.

    L'équipe de sécurité des produits de Twilio avait besoin d'un moyen automatisé pour s'assurer que les développeurs n'ajoutaient pas accidentellement des données sensibles aux répertoires de code et de signaler les modifications sensibles pour tout examen de sécurité. Nous savions que nous ne pouvions pas surveiller tout le code manuellement. Notre solution : un outil automatisé …

    Read More
  • Newer
    Older
    Sign up and start building
    Not ready yet? Talk to an expert.