Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Miguel Grinberg - Oops! I Committed My Password...

Miguel Grinberg - Oops! I Committed My Password To GitHub!

What do AWS, GitHub, Travis CI, DockerHub, Google, Stripe, New Relic, and the rest of the myriad of services that make our developer life easier have in common?
They all give you secret keys to authenticate with. Did you ever commit one of these to source control by mistake? That happened to me more times than I'm willing to admit!

In this talk I'm going to go over the best practices to follow when when writing Python applications that prevent this type of accident.

https://us.pycon.org/2018/schedule/presentation/98/

PyCon 2018

May 11, 2018
Tweet

More Decks by PyCon 2018

Other Decks in Programming

Transcript

  1. About Me • Flask Web Development • The Flask Mega-Tutorial

    • The Flask Webcast • Software Dev @ Rackspace • APIs, Microservices, Security • blog.miguelgrinberg.com • github.com/miguelgrinberg • @miguelgrinberg
  2. Did you ever commit a password to source control? “Yeah,

    but it was by accident” “Yeah, but it’s fine because...”
  3. How (not) to fix a password leak accident Make a

    new commit with the password removed Rebase the commit
  4. Preventing Password Leaks in Code password = ‘HeyDontLookAtMyPassword!’ secret_key =

    ‘fhgj5khl7D56Hj89’ database_url = ‘mysql://user:password@server/db’ password = ‘HeyDontLookAtMyPassword!’ password = os.environ[‘PASSWORD’] secret_key = ‘fhgj5khl7D5GHj89’ secret_key = os.environ.get(‘SECRET_KEY’) database_url = ‘mysql://user:password@server/db’ database_url = os.environ.get(‘DATABASE_URL’, ‘sqlite:///’)
  5. Adding secrets to the environment .profile, .bashrc or other user

    config files .env file for your project (add it to .gitignore) Do not type passwords in your shell!
  6. If the environment is not enough Vault (Hashicorp) Parameter Store

    (AWS) Secret object (Kubernetes) Ansible Vault
  7. DO NOT write passwords or tokens in your code DO

    import secrets from the environment or a secrets store DO revoke any secrets that might have been compromised DO NOT use services that don’t offer easy revocation DO NOT use the same password for more than one service DO NOT use the same credentials for all users DO’s and DON’Ts