Miguel Grinberg - Oops! I Committed My Password To GitHub!

Miguel Grinberg - Oops! I Committed My Password To GitHub!

What do AWS, GitHub, Travis CI, DockerHub, Google, Stripe, New Relic, and the rest of the myriad of services that make our developer life easier have in common?
They all give you secret keys to authenticate with. Did you ever commit one of these to source control by mistake? That happened to me more times than I'm willing to admit!

In this talk I'm going to go over the best practices to follow when when writing Python applications that prevent this type of accident.

https://us.pycon.org/2018/schedule/presentation/98/

De174d82b2bbfe9e6f14a5a8c38b14be?s=128

PyCon 2018

May 11, 2018
Tweet

Transcript

  1. Oops! I Committed My Password to GitHub! Miguel Grinberg

  2. About Me • Flask Web Development • The Flask Mega-Tutorial

    • The Flask Webcast • Software Dev @ Rackspace • APIs, Microservices, Security • blog.miguelgrinberg.com • github.com/miguelgrinberg • @miguelgrinberg
  3. Did you ever commit a password to source control? “Yeah,

    but it was by accident” “Yeah, but it’s fine because...”
  4. How (not) to fix a password leak accident Make a

    new commit with the password removed Rebase the commit
  5. How to fix a compromised password for real REVOKE IT!

  6. Preventing Password Leaks in Code password = ‘HeyDontLookAtMyPassword!’ secret_key =

    ‘fhgj5khl7D56Hj89’ database_url = ‘mysql://user:password@server/db’ password = ‘HeyDontLookAtMyPassword!’ password = os.environ[‘PASSWORD’] secret_key = ‘fhgj5khl7D5GHj89’ secret_key = os.environ.get(‘SECRET_KEY’) database_url = ‘mysql://user:password@server/db’ database_url = os.environ.get(‘DATABASE_URL’, ‘sqlite:///’)
  7. Adding secrets to the environment .profile, .bashrc or other user

    config files .env file for your project (add it to .gitignore) Do not type passwords in your shell!
  8. Demonstration

  9. If the environment is not enough Vault (Hashicorp) Parameter Store

    (AWS) Secret object (Kubernetes) Ansible Vault
  10. DO NOT write passwords or tokens in your code DO

    import secrets from the environment or a secrets store DO revoke any secrets that might have been compromised DO NOT use services that don’t offer easy revocation DO NOT use the same password for more than one service DO NOT use the same credentials for all users DO’s and DON’Ts
  11. Thank You! @miguelgrinberg