Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keep it Secret, Keep it Safe

Avatar for Eric Mann Eric Mann
June 02, 2017
Technology
0
89

Keep it Secret, Keep it Safe

Managing passwords in userland is tricky enough, but clever tools like 1Password and LastPass have made it easier than ever to protect our social media accounts. Two-factor authentication tools have made us safer still by preventing even weak password from being easily bypassed. Unfortunately, none of this helps us with passwords and credentials in our code.

First, we’ll define the threat models that affect secret data within our PHP apps – and how this sensitive information could be exploited. Then, we’ll survey the landscape of tools available to manage secrets safely so our data stays secure. Finally, we’ll work through the code required to tie everything together and keep our access keys both secret and safe from nefarious third parties.
Avatar for Eric Mann

Eric Mann

June 02, 2017
Tweet

More Decks by Eric Mann

See All by Eric Mann
Evolution of PHP Security
Avatar for Eric Mann ericmann
0
58
PHP, Meet AI
Avatar for Eric Mann ericmann
0
57
Asynchronous Awesome
Avatar for Eric Mann ericmann
0
150
WordPress, Meet AI
Avatar for Eric Mann ericmann
0
39
Cooking with Credentials
Avatar for Eric Mann ericmann
0
51
OWASP Top Ten in Review
Avatar for Eric Mann ericmann
0
40
Monkeys in the Machine
Avatar for Eric Mann ericmann
0
190
Asynchronous Awesome
Avatar for Eric Mann ericmann
0
310
Evolution of PHP Security
Avatar for Eric Mann ericmann
0
360

Other Decks in Technology

See All in Technology
250510 StepFunctionのテスト自動化始めました vol.1
Avatar for Takumi Abe east_takumi
1
180
大規模サーバーレスプロジェクトのリアルな零れ話
Avatar for mai miya maimyyym
3
180
Serverlessだからこそコードと設計にはこだわろう
Avatar for Ken'ichirou Kimura kenichirokimura
2
670
AOAI で AI アプリを開発する時にまず考えたいこと
Avatar for Yuji Masaoka | まっぴぃ mappie_kochi
1
530
Асинхронная коммуникация в Go: от понятного к душному. Дима Некрасов, Otello, 2ГИС
Avatar for Lamoda Tech lamodatech
0
2k
Azure Maps Visual in PowerBIで分析しよう
Avatar for なかしょ nakasho
0
210
コスト最適重視でAurora PostgreSQLのログ分析基盤を作ってみた #jawsug_tokyo
Avatar for のんピ non97
2
890
OPENLOGI Company Profile for engineer
Avatar for OPENLOGI hr01
1
26k
クラウドネイティブ環境の脅威モデリング
Avatar for Kyohei Mizumoto kyohmizu
1
390
Notion x ポストモーテムで広げる組織の学び / Notion x Postmortem
Avatar for Isao Shimizu isaoshimizu
1
150
地味にいろいろあった! 2025春のAmazon Bedrockアップデートおさらい
Avatar for みのるん minorun365
PRO
2
570
Global Azure2025(GitHub Copilot ハンズオン)
Avatar for tomokusaba tomokusaba
2
610

Featured

See All Featured
Side Projects
Avatar for Sacha Greif sachag
453
42k
Building Better People: How to give real-time feedback that sticks.
Avatar for Will Jessup wjessup
368
19k
How to train your dragon (web standard)
Avatar for Monica Dinculescu notwaldorf
91
6k
Large-scale JavaScript Application Architecture
Avatar for Addy Osmani addyosmani
512
110k
Java REST API Framework Comparison - PWX 2021
Avatar for Matt Raible mraible
31
8.6k
Rebuilding a faster, lazier Slack
Avatar for samanthasiow samanthasiow
81
9k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
Avatar for mongodb mongodb
45
9.5k
Speed Design
Avatar for Sergey Chernyshev sergeychernyshev
29
930
Code Review Best Practice
Avatar for Trisha Gee trishagee
67
18k
Understanding Cognitive Biases in Performance Measurement
Avatar for Philip Tellis bluesmoon
29
1.7k
Mobile First: as difficult as doing things right
Avatar for Swwweet swwweet
223
9.6k
Build your cross-platform service in a week with App Engine
Avatar for Jose L jlugia
230
18k

Transcript

  1. KEEP IT SAFE @ERICMANN

  2. • • • •

  3. • • •

  4. • EXPOSED THE DOCKER REGISTRY FOR VINE TO THE PUBLIC

    • •

  5. • • •

  6. None
  7. None

  8. • • • • •

  9. None

  10. • • • • •

  11. • •

  12. $ pip install credstash $ credstash setup $ credstash put

    database_connection_string mysql:dbname=testdb;host=127.0.0.1 $ credstash put database_user user $ credstash put database_pass password

  13. composer require gmo/credstash

  14. <?php require('vendor/autoload.php'); $sdk = new Aws\Sdk($config); $credstash = CredStash\CredStash::createFromSdk($sdk); $dsn

    = $credstash->get('database_connection_string'); $user = $credstash->get('database_user'); $pass = $credstash->get('database_pass'); $dbh = new PDO($dsn, $user, $pass);

  15. • • •

  16. None

  17. • • • • •

  18. • • •

  19. # .env DATABASE_CONNECTION_STRING="mysql:dbname=testdb;host=127.0.0.1" DATABASE_USER="user" DATABASE_PASS="password" # .gitattributes .env filter=git-crypt diff=git-crypt

    # .env ^@GITCRYPT^@<84>±<9b>ÅÛ4^M$<9a><9f><8d>Y<87><89>"-^Cb¦@T<90>¬ ÉL%s^^_^Yð^AY<84>^[ÿ³ú}È<- ÞG/{OXTé¹¾<87>Ôï3c<93>_IpÀjñA^_µÅ^T<88>îm]ëk^Txbq¢^E^DÐËSªJ8³{öRè_|":6~ ¥ý<90>^Nóp¢ô^R2X^US ^VÓÀ¾£ú¤ $ brew install git-crypt $ cd ~/project $ git-crypt init $ git-crypt add-gpg-user 715376CA

  20. <?php require('vendor/autoload.php'); $dotenv = new Dotenv\Dotenv(__DIR__); $dotenv->load(); $dsn = get_env('DATABASE_CONNECTION_STRING');

    $user = get_env('DATABASE_USER'); $pass = get_env('DATABASE_PASS'); $dbh = new PDO($dsn, $user, $pass); $ git-crypt unlock

  21. • • •

  22. None

  23. HASHICORP VAULT • • • • •

  24. ANSIBLE VAULT • • •

  25. DOCKER SECRETS • • •

  26. • • • • •

  27. None

  28. • • •

  29. • • • •

  30. • HASHICORP'S BLOG • FUGUE'S BLOG • AWS KEY MANAGEMENT

    SERVICE • PARAGON INITIATIVE'S BLOG • TOZNY'S BLOG

  31. KEEP IT SAFE @ERICMANN - TOZNY