From the course: Threat Modeling: Information Disclosure in Depth
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
Secrets and secrets management
From the course: Threat Modeling: Information Disclosure in Depth
Secrets and secrets management
- [Instructor] You need to handle secrets carefully. That includes knowing what secrets you have, storing them carefully, and destroying them after rotation when they're no longer needed. Most modern platforms have APIs for storing local secrets, like the keychain on macOS, keystore on Android, or gpapi on Windows. You also need to set permissions carefully. You'll almost never want everything to be world readable, and that applies to S3 buckets, elastic storage, message keys, other cloud technology, just as much as files in /tmp. Hey, why are they in /tmp, it's 2020! Lastly, you need to make sure that secrets don't end up in error messages that might be shown to people on the other side of a trust boundary. The best pattern is to show them a unique ID, which is also included in a canonical log message. Careful error message design also includes the question, do you let people know an account exists? We used to have error…
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.