In this piece Developers can’t seem to stop exposing credentials in publicly accessible code, it talks about how credentials continue to be leaked in source code and alludes to developers as the cause. Now I don’t think that is the intent of the author but for those who are not developers I hope to clarify so you don’t get mislead. Developers are people and people are fallible but the problem is more complicated likely something that non-developers don’t get.
Developers start writing code in one of two high level ways. First is the blank canvas which is where a developer creates an empty code repository (code storage folder) with an blank file. The other is using an exsisting project to simply add to it or fix it. In this case a developer will clone (copy) an existing repository. The common tool that developers use for their code management and storage is git. Git is s source code management tool and one of the key features for this is to track changes in source code (files). Think of this like track changes in a word document plus something like dropbox which has versions of the same file too.
Whether you start with a blank canvas or clone a repostiory you will have an ignore file. This file `.gitignore` tells git which files to ignore. To help developers get started many git services like github and bitbucket provide ignore file templates to get started based on the programming language you use. However, those tools only allow you to select one programming language for your ignore file so if you are using more than one language in your project you will have to add to your ignore file accordingly. While this is useful for ignoring superfluous files but because most programming languages don’t have a standard for credential files it still falls on the developer to determine where to store credentials and how to ignore them.
So now we see the main problem developers face when developing they have to be careful to not accidentally include or save files with credentials and their are no standards in most langauges. However the question we should be asking is why do developers not have standards or still have to store credentials at all. In my view the reason for this goes back to the fact we in the security space have not innovated in the space of IAM specifically authentication. We started with username and password and honestly have not really moved so much further past that. Due to that we still leave the burden of managing user names and passwords to the user and developers are users too.
I hope we in the security space can truly help to innovate on authentication the same we have done with firewalls with next generation firewalls and antivirus with next-generation antivirus. Passkey technology is a step in the right direction though I don’t know if it will be enough or if it will help developers manage server to server authentication which is the problem I have been speaking about.