CheatSheetSeries icon indicating copy to clipboard operation
CheatSheetSeries copied to clipboard
verified publisher icon OWASP

Update: Secrets Management

Open szh opened this issue 3 years ago • 3 comments

What is missing or needs to be updated?

In the section 5.1 Injection of Secrets (file, in-memory), the first recommended way of providing secrets to applications is environment variables. The cheat sheet does not mention the risk of environment variables being leaked by debug loggers, or any of the other risks to this method of secret management. There are plenty of blog posts about this issue, but more importantly this was recently recognized by the CNCF's TAG-Security (disclosure: which I contribute to) in the Cloud Native Security Whitepaper v2 (emphasis mine):

In any case, secrets should be injected at runtime within the workloads through non-persistent mechanisms that are immune to leaks via logs, audit, or system dumps (i.e. in-memory shared volumes instead of environment variables).

How should this be resolved?

  1. Add a caveat that this method is not recommended.
  2. Move this method after the other two in the list.

szh avatar Aug 31 '22 13:08 szh

Would you be ok with me just fully deleting 5.1? Or do you prefer we keep it in with caveats?

jmanico avatar Aug 31 '22 14:08 jmanico

Would you be ok with me just fully deleting 5.1? Or do you prefer we keep it in with caveats?

That's a good question. I think it's valuable information but on the other hand this is a cheat sheet so we have to balance that with brevity. I'm new to this so I'll go with whichever you want. Just let me know and I can make a PR.

szh avatar Aug 31 '22 14:08 szh

For this first one, lets move it and add the warning like you suggest.

Looking forward to your PR! Thank you!

jmanico avatar Aug 31 '22 14:08 jmanico