Hardcoding company secrets into your code is a serious, avoidable security risk.
Translated from How to Prevent Secrets from Creeping into Code , author Robert Curlee.
Confidential information often appears in published code, exposing owners to security risks. This confidential information includes passwords, API keys, encryption keys, tokens, database credentials, and other private company information.
Hardcoding confidential information in the source code is dangerous, and despite the most conscientious efforts of the developer, confidential information can still seep in. Developers may take shortcuts and pass confidential information into the code when writing code, or they may not realize the impact of confidential information in the code. Additionally, most scanning solutions leave it up to the developer to determine why code was flagged as an issue. Finally, most tools only look for secrets in the code repository after a leak has occurred, which requires painful remediation (i.e., rotating secrets).
Due to time constraints, properly managing, storing and protecting confidential information can be complicated, misunderstood or simply skipped. Additionally, if companies don't know when and where confidential information enters a project, they can't prevent it from leaking as the project is released and compromising its security.
Credentials and other confidential information regularly seeped into code make headlines — and the number of exposures is increasing due to human error . Tools that capture confidential information in the IDE and throughout the CI/CD pipeline—before they have a chance to cause problems—are game-changers.
Learn how confidential information finds its way into code
Being able to detect confidential information before it is leaked in code enables organizations to reduce their risk exposure. By detecting them in the IDE, you avoid the pain of rotating secrets to remediate them. But first, you need to understand how confidential information ends up in your code. There are several reasons:
1. Lack of knowledge
Possibly due to lack of experience or improper training, some developers may simply not understand proper confidential information management and source code security. It only takes one developer who doesn't know best practices for handling confidential information in code to put a company into the hands of threat actors. If knowledge is power, then the best line of defense is a knowledgeable team.
2. By mistake
A developer might temporarily hardcode credentials or secrets for quick local testing with the intention of removing them later. However, sometimes these files are accidentally committed to the public repository, making these temporary changes permanent. Even if the code is later deleted, someone may have copied the code containing confidential information before cleaning it up. It's human to make mistakes, but when the consequences can be huge, it's best to proactively prevent them whenever possible.
3. Blind trust
Solving problems yourself is a great way to learn, and sometimes the problems are so specific that the only way to solve them is to do it yourself. If it takes up a lot of time and you can't find a solution, it's best to seek help from product documentation and sites like Stack Overflow. However, while these materials provide useful explanations and examples, they should not be simply copy-pasted and taken at face value.
Code in Stack Overflow and the documentation can answer the question, but it's not the safest way to implement a solution. For example, documentation often contains code snippets to illustrate the features of the product, but may not mention whether it should be used with caution and whether there are safer options. result? Bad code . Any solution you introduce into your code base should be properly evaluated to confirm that it meets quality standards and does not cause problems for the code.
Another trust issue leading to the leakage of confidential information into code is the increased use of AI-generated code . As generative AI becomes more popular in code development, you'll see an increase in the number of lines of code you need to scan and the number of confidential information issues. The AI-generated code might lead you to think that the correct way to connect to the service is to hardcode a token or secret. Depending on the quality of the hints and awareness of the problem, the AI may not generate clean code and may lead to leakage of confidential information. The AI-generated code can serve as the basis for understanding how to connect to the service, but you must modify it to use the Confidential Information Vault.
Ultimately, you must challenge any code you find or generate using AI. Organizations must ensure that their developer teams have the appropriate code quality tools in place to prevent confidential information from seeping into the code and address any leaks at the earliest possible stage of code development.
Capture confidential information from the start
When publicly confidential information is flagged at the point of introduction, whether in real time during coding or just before a commit, it can save the team a lot of headaches. Human errors happen, but by doing the right checks at the right time, you can prevent the consequences of errors early on.
The best place to detect and resolve these issues in the development workflow is at the beginning, in the IDE. Confidential information detection capabilities in SonarLint, SonarQube, and SonarCloud enable organizations to detect publicly available confidential information in source code, eliminate its exposure, and reduce the security risk of illegal or unauthorized access to private data. Developers using SonarQube Enterprise Edition 10.3 and later can also create custom secrets pattern detection rules . Pairing them with Clean as You Code (CaYC) and Learn as You Code methods supports the delivery of clean code —code that produces maintainable, reliable, and secure software.
By eliminating confidential information from code in the IDE from the beginning of development, teams can prevent confidential information from entering their repositories. Detecting and removing confidential information early in project development reduces the complex and expensive remediation required when exposed confidential information is discovered later in the release cycle.
I decided to give up on open source industrial software. Major events - OGG 1.0 was released, Huawei contributed all source code. Ubuntu 24.04 LTS was officially released. Google Python Foundation team was laid off. Google Reader was killed by the "code shit mountain". Fedora Linux 40 was officially released. A well-known game company released New regulations: Employees’ wedding gifts must not exceed 100,000 yuan. China Unicom releases the world’s first Llama3 8B Chinese version of the open source model. Pinduoduo is sentenced to compensate 5 million yuan for unfair competition. Domestic cloud input method - only Huawei has no cloud data upload security issuesThis article was first published on Yunyunzhongsheng ( https://yylives.cc/ ), everyone is welcome to visit.