1 - Secrets get reused
By Marius Ciepluch
Secrets should be unique, so that it’s clear
what processes depend on them
what level of security is being present
management of secrets, one at a time
It’s likely that those code files with auth secrets have security implications.
How does this happen?
Often it’s cumbersome to set a new environment variable during the process of the implementation. Just to test things, a secret is being reused.
As
a session secret
salt
DB password
….
one and the same
secret: process.env.SESSION_SECRET;Example: Next.js
Can affect any language.
Test and fix
grep for secret name, and investigate the hits (
grep -r SESSION_SECRET *.js)stay on task: one grep, and reading the results per audit objective
the order matters: don’t burn time auditing many things at once
, multiple selections available,
Related content
LangChain, GPT-4 and a security motivation for Agents
LangChain, GPT-4 and a security motivation for Agents
More like this
Rocky Linux 9 (ARM64) security profiles for hardening based on the CIS benchmark (24.10.2023)
Rocky Linux 9 (ARM64) security profiles for hardening based on the CIS benchmark (24.10.2023)
More like this
AppSec Metrics with GH Advanced Security
AppSec Metrics with GH Advanced Security
More like this
Dependabot
Dependabot
More like this
Use Subresource Integrity (SRI) for hash-verified JavaScript imports on Squarespace
Use Subresource Integrity (SRI) for hash-verified JavaScript imports on Squarespace
More like this
CodeQL
CodeQL
More like this