Hackers Stole Source code and are inside Go Daddy for nearly 3 years !!
When this news broke out, Security became the Talk of the Tech World for the nth time again.
Most of the service providers came forward with statements, about how secure they are and the clients can sleep on them peacefully.
The truth is "We are as good as our weakest link".
I Know Security is a vast and deep subject, but it is a good time to revisit the basics and understand the secrets management in the source code.
π· What is a Secret?
In simple terms, anything that you would want to hide from others / the outside world.
π· Some of the common forms of Secrets are:
[1] Credentials
[2] Database connection strings
[3] API Keys and Tokens
[4] RSA Keys
[5] Certificates
When these secrets are accidentally / intentionally infused into the source code, the application and infra may be compromised for attacks.
π· Is my DevSecOps pipeline not good enough?
Secrets detection in the CI/CD pipeline may not be a good preventive measure, as we are running secrets scan and aspiring from redemption only after the secrets are infused. This is a poor reactive approach.
π· How can I make it Proactive then?
There are a few good resources like git leaks, git secrets, trufflehog to detect the secrets in the code and block the code commits.
β Remember, Security is everyone's responsibility. Any tool, automation, process, or framework is just an enabler. One shouldn't trade off security for faster delivery.
See the below diagram for the illustration of details. π
Follow Me here: https://www.linkedin.com/in/govardhana-miriyala-kannaiah/
for more content related to Cloud / DevSecOps / Infrastructure as Code / CyberSecurity / Life
Top comments (0)