re: If you were tasked to conduct a security audit on a server/database-backed web app, where would you start? VIEW POST

TOP OF THREAD FULL DISCUSSION
re: I would personally start by auditing server and database access, before delving into the code of the app and database queries themselves. This mean...
 

I'm a bit confused about what you mean with credentials and environment variables. Totally agree credentials should not be part of the code, but isn't it a common practice to have them injected into the target container/machine via environment variables, and to prohibit any login to the container/machine?

 

If you are using a CI/CD pipeline, it is definitively preferred to inject something like this from an encrypted env variable on the CI/CD system and not save anything on the host machine. It has the benefit of added security.

However, for a lot of smaller companies, the case of having a CI/CD pipeline is not always the case. I have seen a lot of admins deploying the app manually via SSH or RDP, by copying files or whatnot. Of course, while this is generally not acceptable for serious systems, we can't run from the fact it happens, especially for teams that are not as experienced in developing larger systems, or simply don't have any infrastructure experience.

I come from a .NET background, where there are a few solutions even for such cases:

  • Secrets manager
  • appsettings.{environment}.json files

The issue with this approach is that these files are not encrypted, so infrastructure breach will compromise the app. But, still, it's better than committing to a git repo.

code of conduct - report abuse