@N7x to appsecEnglish • 9 months agoGitHub Copilot, Amazon Code Whisperer emit people's API keyswww.theregister.comexternal-linkmessage-square11arrow-up120arrow-down11
arrow-up119arrow-down1external-linkGitHub Copilot, Amazon Code Whisperer emit people's API keyswww.theregister.com@N7x to appsecEnglish • 9 months agomessage-square11
minus-square@pixxelkick@lemmy.worldlinkfedilinkEnglish3•9 months agoA config file outside of the repository to be specific. On Linux it can go somewhere under ~ On windows it can go somewhere in AppData Ie; ~/YourAppName/Secrets.json or whatever your config file flavor is. Json, yaml, xml, whatevs
minus-square@tmRgwnM9b87eJUPq@lemmy.worldlinkfedilinkEnglish1•9 months agoNo. For development purposes I want my devs to be able to clone the repo and start. So the development config files are inside the repositories.
minus-square@DoomBot5@lemmy.worldlinkfedilinkEnglish0•9 months agoWow, that’s a terrible security process even for development configs. How about adding a script they can run right after cloning to pull the needed keys from a secure location using their own user credentials? Plenty of solutions out there.
minus-square@tmRgwnM9b87eJUPq@lemmy.worldlinkfedilinkEnglish0•9 months agoSo let’s say the code base leaks. Let’s say our VPN was also compromised. Then what is the worst that can happen? Some internal dev api with no real data in it can be tested by hackers.
A config file outside of the repository to be specific.
On Linux it can go somewhere under ~
On windows it can go somewhere in AppData
Ie;
~/YourAppName/Secrets.jsonor whatever your config file flavor is. Json, yaml, xml, whatevsNo. For development purposes I want my devs to be able to clone the repo and start.
So the development config files are inside the repositories.
Wow, that’s a terrible security process even for development configs. How about adding a script they can run right after cloning to pull the needed keys from a secure location using their own user credentials? Plenty of solutions out there.
So let’s say the code base leaks.
Let’s say our VPN was also compromised.
Then what is the worst that can happen? Some internal dev api with no real data in it can be tested by hackers.