Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keep it Secret, Keep it Safe

Eric Mann
June 02, 2017
Technology
0
80

Keep it Secret, Keep it Safe

Managing passwords in userland is tricky enough, but clever tools like 1Password and LastPass have made it easier than ever to protect our social media accounts. Two-factor authentication tools have made us safer still by preventing even weak password from being easily bypassed. Unfortunately, none of this helps us with passwords and credentials in our code.

First, we’ll define the threat models that affect secret data within our PHP apps – and how this sensitive information could be exploited. Then, we’ll survey the landscape of tools available to manage secrets safely so our data stays secure. Finally, we’ll work through the code required to tie everything together and keep our access keys both secret and safe from nefarious third parties.

Eric Mann

June 02, 2017
Tweet

More Decks by Eric Mann

See All by Eric Mann
Asynchronous Awesome
ericmann
0
50
WordPress, Meet AI
ericmann
0
23
Cooking with Credentials
ericmann
0
29
OWASP Top Ten in Review
ericmann
0
19
Monkeys in the Machine
ericmann
0
95
Asynchronous Awesome
ericmann
0
180
Evolution of PHP Security
ericmann
0
220
Web Application Security Update: Top Vulnerabilities
ericmann
0
96
Asynchronous Awesome
ericmann
0
74

Other Decks in Technology

See All in Technology
Material 3 やめました / Good-bye M3 design system
yanzm
3
2.4k
できる!アクセシビリティ向上/droidkaigi2023-day2
nikkei_engineer_recruiting
0
1.4k
アジャイルな組織を作るために開発チーム作成ガイドを書いた話 / Scrum Fest Mikawa 2023
ama_ch
3
1.6k
レイヤードアーキテクチャにおける 例外との向き合い方
yukihiromori
0
1.4k
サーバーレス技術とDevSecOps: 安全かつ迅速なデプロイメントの新時代
gl_tsukasa
1
220
生成AIと著作権 〜生成AIによって生じる著作権関連の課題と対処
line_developers
PRO
2
630
組織・プロセス・技術 - フロントエンドの生産性向上への複眼的アプローチ / 20230921
bengo4com
3
680
dojo230914
mitsuakitohei
1
200
クラウドだからできた 地方主導のJAWS DevOps
matsuihidetoshi
2
170
[PHPカンファレンス沖縄2023]【実践編】良いプロダクト作りのための組織育成 健全なコードは健全な組織、健全なチームから
ikezoemakoto
1
190
Generative UX in LLM Application
huffon
1
360
self-hosted runnerと actions/cache の噛み合わせが悪かった件 #githubactionsmeetup
whywaita
PRO
1
130

Featured

See All Featured
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
215
12k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
5
660
Six Lessons from altMBA
skipperchong
17
2.6k
[Brighton Ruby 2023] The Magic of Rails
eileencodes
3
270
Done Done
chrislema
178
15k
Git: the NoSQL Database
bkeepers
PRO
420
61k
From Idea to $5000 a Month in 5 Months
shpigford
376
45k
Side Projects
sachag
450
39k
Support Driven Design
roundedbygravity
91
9.2k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
219
21k
Build The Right Thing And Hit Your Dates
maggiecrowley
23
1.7k
In The Pink: A Labor of Love
frogandcode
135
21k

Transcript

  1. KEEP IT SAFE
    @ERICMANN

    View Slide





  2. View Slide




  3. View Slide

  4. • EXPOSED THE DOCKER REGISTRY FOR VINE TO THE PUBLIC


    View Slide




  5. View Slide

  6. View Slide

  7. View Slide






  8. View Slide

  9. View Slide






  10. View Slide



  11. View Slide

  12. $ pip install credstash
    $ credstash setup
    $ credstash put database_connection_string mysql:dbname=testdb;host=127.0.0.1
    $ credstash put database_user user
    $ credstash put database_pass password

    View Slide

  13. composer require gmo/credstash

    View Slide

  14. $sdk = new Aws\Sdk($config);
    $credstash = CredStash\CredStash::createFromSdk($sdk);
    $dsn = $credstash->get('database_connection_string');
    $user = $credstash->get('database_user');
    $pass = $credstash->get('database_pass');
    $dbh = new PDO($dsn, $user, $pass);

    View Slide




  15. View Slide

  16. View Slide






  17. View Slide




  18. View Slide

  19. # .env
    DATABASE_CONNECTION_STRING="mysql:dbname=testdb;host=127.0.0.1"
    DATABASE_USER="user"
    DATABASE_PASS="password"
    # .gitattributes
    .env filter=git-crypt diff=git-crypt
    # .env
    ^@GITCRYPT^@<84>±<9b>ÅÛ4^M$<9a><9f><8d>Y<87><89>"-^Cb¦@T<90>¬
    ÉL%s^^_^Yð^AY<84>^[ÿ³ú}È<-
    ÞG/{OXTé¹¾<87>Ôï3c<93>_IpÀjñA^_µÅ^T<88>îm]ëk^Txbq¢^E^DÐËSªJ8³{öRè_|":6~
    ¥ý<90>^Nóp¢ô^R2X^US ^VÓÀ¾£ú¤
    $ brew install git-crypt
    $ cd ~/project
    $ git-crypt init
    $ git-crypt add-gpg-user 715376CA

    View Slide

  20. $dotenv = new Dotenv\Dotenv(__DIR__);
    $dotenv->load();
    $dsn = get_env('DATABASE_CONNECTION_STRING');
    $user = get_env('DATABASE_USER');
    $pass = get_env('DATABASE_PASS');
    $dbh = new PDO($dsn, $user, $pass);
    $ git-crypt unlock

    View Slide




  21. View Slide

  22. View Slide

  23. HASHICORP VAULT





    View Slide

  24. ANSIBLE VAULT



    View Slide

  25. DOCKER SECRETS



    View Slide






  26. View Slide

  27. View Slide




  28. View Slide





  29. View Slide

  30. • HASHICORP'S BLOG
    • FUGUE'S BLOG
    • AWS KEY MANAGEMENT SERVICE
    • PARAGON INITIATIVE'S BLOG
    • TOZNY'S BLOG

    View Slide

  31. KEEP IT SAFE
    @ERICMANN - TOZNY

    View Slide