What are secrets in software development?

Hey everyone this is Mackenzie from GitGuardian and today I want to talk a little bit about secrets but specifically I want to talk about secrets inside programming and software development.

These are a little bit different to the secrets that you may be used to on the playground but actually pretty much share the same principles: don't share them with anyone.

Secrets refer to digital authentication credentials when we're talking about them in software language.

What is a digital authentication credentials?

These are typically things like API keys, credential pairs, security certificate encryption keys. Really anything that authenticates us with a different system or service or allows us to ingest or read data.

There is a fundamental difference between these and just general credentials or passwords and that is that these are made to be used programmatically. That is that humans aren't meant to have to memorize an API key which can be very long and confusing. But they're designed to be used from other tools or systems really. It's essentially meant to be used from a machine talking on authenticating themselves to another machine.

These secrets are highly sensitive and we need to make sure that we protect them and handle them with care when we're using them as a developer. They provide access to all of our inner working systems and our most sensitive information. So these are critical that they don't, for example, end up inside your git repositories and especially don't end up inside your public git repositories, because adversaries know that these keys are valuable and are always on the lookout.

What do these secrets actually look like?

Typically they are high entropy strings which means that they are strings or text that are very random in value. They have a high level of entropy or randomness.

This is for a lot of reasons of course. The security reason that no one can guess it and also that you can't brute force your way into using a system by going through lots of different variation.

This also has a secondary benefit, like all unique identifiers have or all high entropy strings have and that is that you can generate two and the likelihood of them being identical is almost zero. So you don't need to check a database to see if you've issued that key before. For example if we take the asc2 character set which is a 7-bit character set containing a total of 128 characters and we use this in a 10 character password or API key, the total possible combinations are 226 trillion, 846 billion, 154 million, 180 800 possible different combinations.

These strings can come in lots of different straights and sizes: security certificates like RSA certificates can be quite long whereas an API key can be quite short. Some API keys may be pre or post fix which means they share the same characters at the start of the string or at the end of the string but most secrets aren't and are just a highly randomized value that contains different types of character sets.

This isn't always the case because sometimes passwords and usernames or credential pairs are used and considered secrets as well, for example, the password to your database is considered a secret and will often be both a username and a password. Hopefully these both aren't admin admin and instead you're using high entry strings for that password in particular. But sometimes these can be a phrase and we still consider these secrets in programming language although it's always best practice to use high entropy strings even when you're using a password. Particularly if you don't need to memorize it or put it on a post-it note.

How do we use these secrets?

We use these secrets in a number of different ways during programming namely to connect to different services. We need to connect to payment systems if we're processing credit card to our databases. We need to connect to different services or SaaS platforms that we're using. For all of these we're using secrets but there's an important step. Here now it will work if you hard code a secret into your source code but typically this is not a good idea.

We want to store our secrets as environment variables.

That means we want to store our secrets in local memory. So basically we want our application to have access to these secrets in its memory but we don't want them to be inadvertently exposed to the public in any way.

That's why typically we would use environment variables but there are other ways to correctly handle secrets as well. The important thing is that we don't want them in our source code.

We don't want them to be visible publicly through our application and we don't want to have to store them anywhere outside of a dedicated environment or a secrets management solution.

So that's your quick crash course into what are secrets and how we use them. I hope you found this helpful.

Make sure you give a thumbs up for the video. If you have any questions you can always reach out in the comment section or on twitter my handle is @advocatemac

Thanks for watching.

‍