/
1 - Secrets get reused

1 - Secrets get reused

Owned by Marius Ciepluch
Last updated: Mar 14, 2024
1 min read

Secrets should be unique, so that it’s clear

  • what processes depend on them

  • what level of security is being present

  • management of secrets, one at a time

It’s likely that those code files with auth secrets have security implications.

 

 

 

How does this happen?

Often it’s cumbersome to set a new environment variable during the process of the implementation. Just to test things, a secret is being reused.

  • As

    • a session secret

    • salt

    • DB password

    • ….

    • one and the same

secret: process.env.SESSION_SECRET;

Example: Next.js

Can affect any language.

 

Test and fix

  • grep for secret name, and investigate the hits (grep -r SESSION_SECRET *.js )

  • stay on task: one grep, and reading the results per audit objective

    • the order matters: don’t burn time auditing many things at once

Related content

Dependabot
Dependabot
Automation (DevOps)
More like this
CodeQL
CodeQL
Automation (DevOps)
More like this
AppSec Metrics with GH Advanced Security
AppSec Metrics with GH Advanced Security
Automation (DevOps)
More like this
Use Subresource Integrity (SRI) for hash-verified JavaScript imports on Squarespace
Use Subresource Integrity (SRI) for hash-verified JavaScript imports on Squarespace
Web & Creative
More like this
0 - Get to know the code base and application - methodology
0 - Get to know the code base and application - methodology
Software Tech
More like this
Rocky Linux 9 (ARM64) security profiles for hardening based on the CIS benchmark (24.10.2023)
Rocky Linux 9 (ARM64) security profiles for hardening based on the CIS benchmark (24.10.2023)
Linux
More like this

Content by https://www.because-security.com/
📧 https://www.because-security.com/contact