One does not commit or compile credentials
Context:
This meme was brought to you by the PyPI Director of Infrastructure who accidentally hardcoded credentials - which could have resulted in compromissing the entire core Python ecosystem.
One does not commit or compile credentials
Context:
This meme was brought to you by the PyPI Director of Infrastructure who accidentally hardcoded credentials - which could have resulted in compromissing the entire core Python ecosystem.
If I had a dollar for every API key inside a config.json…
Here’s the thing, config.json should have been on the project’s .gitignore.
Not exactly because of credentials. But, how do you change it to test with different settings?
For a lot of my projects, there is a config-<env>.json that is selected at startup based the environment.
Nothing secure in those, however.
When it’s really messy, we:
Can I have a dollar for every public S3 bucket?
Might just make enough to pay your AWS bill this month.
I actually do have a dollar for every API key I or my team have committed inside a config file.
And…I’m doing pretty well.
Also, I’ve built some close friendships with our Cybersecurity team.