In his latest blog post, Premier Developer consultant Najib Zarrari discusses one approach to protecting sensitive information in your application by using VSTS and Azure Key Vault.
If you are building a modern application and are following modern design principles, there is a good chance your application is composed of a number of layers and services. Also, your services might be communicating with one or more databases to persist their data. For services to communicate with one another and to be able to talk to databases, they need to leverage information that is considered sensitive. Hackers know too well that this is one area that many teams don’t properly protect and they are always on the lookout to get hold of that information to leverage for attacks. Sensitive information in this case include:
- Database username and password or connection strings
- API keys
- Authentication (i.e. OAuth) tokens
- Third party service username and password
- Any other sensitive information your app might need
A common practice to handle this kind of information is to put it in a configuration file somewhere. Although the file will be replaced when it goes to production, this is still not recommended for at least the following reasons:
- After the config file is checked in to the version control system, the sensitive information would be exposed
- When information changes, a deploy might be required for the new changes to take effect
- Secrets for production environment will need to be stored somewhere where they are properly protected. Sometimes that’s left to the judgement of the secrets maintainer, which might result in secrets being compromised if they are not kept in a secured location
- Maintaining lifecycle of these secrets might not be easy since they might be scattered all over the place
In the remainder of this blog, I will detail an approach that not only helps properly store and maintain the lifecycle of your secrets but also how your application can get access to those secrets without being exposed outside of the application.