Collaborate Disseminate
Does Digital Ocean have something similar to Credstash or AWS Secrets Manager (both AWS services)?
Trying to decide on the most secure way to store environmental variables with sensitive information (like database access codes, for exampl… Continue reading Digital Ocean ENV Variables – .env file, ENV Variables, or something else
I have a CloudFormation stack that currently resolves credentials from the AWS Systems Manager parameter store.
I’d like to change how it gets credentials.
Now I would like to:
Use the Python requests library to make a get request for … Continue reading Can passing credentials as parameters to CloudFormation templates via a build script be secure?
Given a serverless deployment of some kind (i.e. something that relies on AWS Lambda for computing), and secrets stored in AWS Secrets Manager, what difference from security standpoint is there between the following two options:
Basically, trying to wrap my brain around how I should be handling secrets using Docker, k8s, and Skaffold in a dev environment. I’m pretty new to this tech, so don’t fully understand all of it.
Just not sure if I should be … Continue reading Handling secrets and environmental variables in Docker-k8s-skaffold dev environment
I’ve been researching and testing different approaches when it comes to securing code secrets, and am unsure what the best options are, and if they even have any relevance once a host gets compromised.
Some standard approac… Continue reading Securing Code Secrets – What is the relevance if the host gets compromised?
I get the impression that it is a programming best practice to create variables in specific scopes (like a function scope) and avoid global scope to make things more modular and better organized. However I’m not sure if there is also a se… Continue reading Global variables and information security
Is it a security concern to store server-side key in plaintext in environment variables? And specifically with PHP, would I be safe by not calling phpinfo() or other kind of dumper?
Continue reading Storing server-side secret key in environment variable – is a concern?
I am currently working on fixing some security problems with our webapp as reported by VeraCode. Some of these pertain to “trust boundaries”, i.e, what inputs can be trusted.
In some cases, our problems appear to be due to … Continue reading Trust boundaries for webapps (vs desktop apps)
After reading this blog post in which the author lays out arguments against using environmental variables for storing secrets, I am unsure how to proceed with deploying my application.
His primary arguments are as follows:
Given that the… Continue reading Is it unsafe to use environmental variables for secret data?
I’m seeing a trend for deploying web apps to PaaS that the config is typically defined in environmental variables. e.g. Azure Functions or .net core apis
Assuming this has been done to follow good practice to ensure secrets … Continue reading Are environmental variables for web PaaS a bad security smell?