{"id":21,"date":"2024-04-21T20:00:03","date_gmt":"2024-04-21T20:00:03","guid":{"rendered":"https:\/\/halimer.com\/?p=21"},"modified":"2024-04-21T20:00:03","modified_gmt":"2024-04-21T20:00:03","slug":"are-leaked-credentials-really-developers-fault","status":"publish","type":"post","link":"https:\/\/halimer.com\/?p=21","title":{"rendered":"Are leaked credentials really developers\u2019 fault?"},"content":{"rendered":"\n<p><br>In this piece <a href=\"https:\/\/arstechnica.com\/security\/2023\/11\/developers-cant-seem-to-stop-exposing-credentials-in-publicly-accessible-code\/\" data-type=\"link\" data-id=\"https:\/\/arstechnica.com\/security\/2023\/11\/developers-cant-seem-to-stop-exposing-credentials-in-publicly-accessible-code\/\">Developers can\u2019t seem to stop exposing credentials in publicly accessible code<\/a>, it talks about how credentials continue to be leaked in source code and alludes to developers as the cause.\u00a0\u00a0Now I don\u2019t think that is the intent of the author but for those who are not developers I hope to clarify so you don\u2019t get mislead.\u00a0\u00a0Developers are people and people are fallible but the problem is more complicated likely something that non-developers don\u2019t get.<\/p>\n\n\n\n<p>Developers start writing code in one of two high level ways.\u00a0\u00a0First is the blank canvas which is where a developer creates an empty code repository (code storage folder) with an blank file.\u00a0\u00a0The other is using an exsisting project to simply add to it or fix it.\u00a0\u00a0In this case a developer will clone (copy) an existing repository.\u00a0\u00a0The common tool that developers use for their code management and storage is git.\u00a0\u00a0Git is s source code management tool and one of the key features for this is to track changes in source code (files).\u00a0\u00a0Think of this like track changes in a word document plus something like dropbox which has versions of the same file too.\u00a0<\/p>\n\n\n\n<p>Whether you start with a blank canvas or clone a repostiory you will have an ignore file.&nbsp;&nbsp;This file `.gitignore` tells git which files to ignore.&nbsp;&nbsp;To help developers get started many git services like github and bitbucket provide ignore file templates to get started based on the programming language you use.&nbsp;&nbsp;However, those tools only allow you to select one programming language for your ignore file so if you are using more than one language in your project&nbsp;&nbsp;you will have to add to your ignore file accordingly.&nbsp;&nbsp;While this is useful for ignoring superfluous files but because most programming languages don\u2019t have a standard for credential files it still falls on the developer to determine where to store credentials and how to ignore them.<\/p>\n\n\n\n<p>So now we see the main problem developers face when developing they have to be careful to not accidentally include or save files with credentials and their are no standards in most langauges.&nbsp;&nbsp;However the question we should be asking is why do developers not have standards or still have to store credentials at all. In my view the reason for this goes back to the fact we in the security space have not innovated in the space of IAM specifically authentication.&nbsp;&nbsp;We started with username and password and honestly have not really moved so much further past that.&nbsp;&nbsp;Due to that we still leave the burden of managing user names and passwords to the user and developers are users too.<\/p>\n\n\n\n<p>I hope we in the security space can truly help to innovate on authentication the same we have done with firewalls with next generation firewalls and antivirus with next-generation antivirus. Passkey technology is a step in the right direction though I don\u2019t know if it will be enough or if it will help developers manage server to server authentication which is the problem I have been speaking about.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this piece Developers can\u2019t seem to stop exposing credentials in publicly accessible code, it talks about how credentials continue to be leaked in source code and alludes to developers as the cause.\u00a0\u00a0Now I don\u2019t think that is the intent of the author but for those who are not developers I hope to clarify so [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[10,9,8,11,4],"class_list":["post-21","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-authentication","tag-cloudsecurity","tag-cybersecurity","tag-iam","tag-security"],"_links":{"self":[{"href":"https:\/\/halimer.com\/index.php?rest_route=\/wp\/v2\/posts\/21","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/halimer.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/halimer.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/halimer.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/halimer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=21"}],"version-history":[{"count":1,"href":"https:\/\/halimer.com\/index.php?rest_route=\/wp\/v2\/posts\/21\/revisions"}],"predecessor-version":[{"id":22,"href":"https:\/\/halimer.com\/index.php?rest_route=\/wp\/v2\/posts\/21\/revisions\/22"}],"wp:attachment":[{"href":"https:\/\/halimer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=21"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/halimer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=21"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/halimer.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=21"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}