Don't Commit Your Secrets

Transcript

1. Don’t Commit Your Secrets How to keep your application 


   secrets safe ! Nicholas Henry

2. Your secrets are everywhere • Passwords • Credentials • API

   Keys • Database • Amazon S3 • Stripe • Mail Chimp Examples Synonyms
3. None

4. • Repository is shared among multiple parties • Increases your

   risk for a security exploitation Why is this a bad practice?

5. • application is open source • application requires a high

   level of governance e.g. financial, healthcare • application involves transient contractors
 e.g. agency • application located on multiple services
 e.g. CodeClimate When is this a bad practice?

6. When is this a bad practice? ALWAYS!

7. • Environment Variables • Configuration files Your options

8. Environment Variables # setting environment variable
 export STRIPE_API_KEY=07bfb7a5487dc6df" # retrieving

   from Ruby
 ENV[‘STRIPE_API_KEY’] # =>07bfb7a5487dc6df

9. 1 # config/application.yml" 2 " 3 production:" 4 secret_key_base: 33619eed953400c0e58695"

   5 stripe_api_key: 07bfb7a5487dc6df Configuration File

10. • Rails 4.1 application • Deploy to Heroku
 Platform as

    a Service (PaaS) • Configure Stripe with an API key
 Payment Gateway Demo

11. • configuration file / environments variables • config/secrets.yml" • Rails.application.secrets.your_api_key

    Rails helps us keep secrets safe
12. None

13. Review 1 # config/secrets.yml" 2 " 3 production:" 4 secret_key_base:

    <%= ENV[‘SECRET_KEY_BASE’] %>" 5 stripe_api_key: <%= ENV[‘STRIPE_API_KEY’] %> 1 2 3 heroku config:add STRIPE_API_KEY=montreal.rb-prod 1 # config/initializers/stripe.rb" 2 " 3 Stripe.api_key = " 4 Rails.application.secrets.stripe_api_key

14. • Don’t commit your secrets • If you have committed

    your secrets: • setup your application to use environment variables or a configuration file • reset your API keys and other secrets Remember

15. nicholas@firsthand.ca @nicholasjhenry Nicholas Henry http://blog.firsthand.ca