Oct 26, 18 6:57 pm

Was this post helpful?

Embedded Credentials in Source Code

Oct 26, 2018
| by:
Sherif Koussa

A Little Backstory

Your company secrets are safe, right?  Well, you can’t assume just because you enforce company wide 2-factor authentication on Github that you aren’t vulnerable.

A while back when I was working at a young silicon valley startup, we found out why you shouldn’t embed credentials in source code, the hard way.

We had been on a hiring blitz, which is not uncommon in a start-up, and had been expanding the QA team. Then, one fine day we discovered our mailing service had blocked our account and raised a security ticket with OPS.

It turns out that one of the new hires had “accidentally” forked the main server source repo and made it available publicly.  Within minutes, bots started scouring the code on github for anything that looked like a key or credential, and with our code it hit the jackpot.  In one json config file, could be found all the amazon AWS credentials, mail service credentials, azure, crashlytics keys and more.

The OPS team performed their duties with heroic effort in order to help stop the leak quickly, but after the dust settled, hackers had been using the mail service for spam, our domain was blacklisted on several lists and our mail reputation took a tremendous dive.


This could have been avoided in several ways.  First off, developers *should* know better than to put credentials in source code, but that is a culture and training issue which can’t always be solved immediately. The second barrier should have been a static analysis tool incorporated into the build that would detect suspicious hard coded strings.


The Fix

If you only have a few credentials, a simple solution is to use environment variables on the server.  This has the advantage of being configurable per-machine (ie. developer settings can be separate from server settings), and that exposing the values usually requires significant privilege escalation.  The challenge is to ensure the scripts used for setting up the environment (often a dockerfile) also do not contain the keys.

A better solution is to use a password vault to load keys at run time, such as AWS Secrets Manager.   Using the API call GetSecretValue it is possible to retrieve keys from the password manager at runtime.  It is recommended to use an existing SDK to ensure that accessing the password vault is fully secure, as it is easy to miss important configuration that might cause the GetSecretValue request to leak sensitive information.  This method comes with the additional benefit that it is easy to roll passwords without requiring any redeployment.


Was this post helpful?

About the Author

Sherif Koussa
Sherif Koussa is OWASP Ottawa Chapter Co-Leader, Software Developer, Hacker, and founder and CEO of Software Secured and Reshift. In addition to contributing to OWASP Ottawa for over 14 years, Sherif contributed to WebGoat, and OWASP Cheat Sheets. Sherif also helped the SANS and GIAC organizations launch their GSSP-Java and GSSP-NET exams and contributed to a few of their courses. After switching from the software development field to the security field, Sherif took on the mission of supporting developers shifting security left, and ship more secure code organically.
Share This Post

Leave a Reply

Your email address will not be published.

Related Post

Jul 4, 2023 by Cate Callegari

Common Security Misconfiguration Habits

Read more

Was this post helpful?

Jun 5, 2023 by Omkar Hiremath

How to Properly Secure Your JWTs

Read more

Was this post helpful?

Jan 23, 2023 by Shimon Brathwaite

The Security Liabilities of 3rd Party Libraries

Read more

Was this post helpful?


301 Moodie Dr. Unit 108
Ottawa ON K2H 9C4

Designed by WP Expert
© 2023
Software Secured