Chaos Tamer • Software Engineer • Project Rescue Expert
Be nice, help the person who hacks your servers to get your data (Seatec Astronomy)
Topics: Security, Secrets Management
Where are your credentials and secrets stored? In .env files or in environment variables, or even worse in config files? Are your primary AWS keys shared amongst developers? Do you still have SSH keys from former employees on your servers?
In May 2018 something happened to the internet, GDPR came online, and suddenly users in the EU had a lot more rights to their digital privacy, which is awesome. But on the flip side the implementation of the GDPR and procedures regarding it, are very vague, and were meant to be written as we go along, with whatever comes up as best practices. Books and talks have been written and given about the data encryption, problems encountered with event sourcing systems, questionaries about the purposes of collecting user data… So many words, and hours of many lives spent… Yet, something has been overlooked, something so basic, we do not even notice it. If you are working on an enterprise class project, or on other large projects, you might have an infra team that would deal with this and tell you what you need to do to be secure (at least good ones will) But… if you are working on smaller projects, and you have mom and pop shops to support, you deserve the same level of security bigger projects have… I am talking about secrets and credentials management for your application, the most overlooked aspect of any application. This is a talk in three acts. In first act I am going to give an overview of the problems we all encounter, or fear we will encounter, about current common patterns, and why they might be bad. In second act I will talk about what we can do to improve this, about crypto and security. In the last act I will give an overview of the tools available, and a demo of HashiCorp Vault and how it can help your application. But don’t be fooled, you will hear about the good stuff, but you will hear about downsides as well.
About the Speaker
Vranac has been in this industry for a long time. He had good fortune to work with a lot of talented people, and had a chance to see some brilliant code, and some of the worst ever written. He gets paid for writing code that performs exceptionally. He runs Code4Hire, a small outfit dedicated to solving tough problems.