Safe Secrets Storage for Cloud Software Services. Stop with the .env Files!!

lol so good man hitting get notifications paid off

Currently people are not asking impressive coding problems to llms

Can you start testing sota ai models out there with unique coding tests ???

I think you are best person to test llms and share with people so people get to see some real test cases and all

So, env files ok, storing secrets is not ok.

You are an absolute madlad, total chudd, and certified gigachad. I salute you with respectful respectfulness 🫡

Love this. Title caught my eye as a dev and your intro was very compelling to watch it through. As a sub for ~1 year, this is my favorite video by you, hands down.

Love this. Title caught my eye as a dev and your intro was very compelling to watch it through. As a sub for ~1 year, this is my favorite video by you, hands down.

Very interesting video. At first, I thought you were gonna talk about how binaries invoked by my application can access environment variables set by my application, therefore I should not store passwords in environment variables at all. I really like the idea of deleting config files after the application starts, though. It should be fairly easy to do if the application is containerized, right? If it dies, we just spin up another copy that still has its config file

Good audio in this episode

I have a site up that nobody uses yet or really knows about. If I look through the logs it's constantly getting smashed by GET /.env requests and the likes.

qrd?

Great video! As a person who never worked on cloud, those different strategies at different levels to being as safe as possible are really clever.
Those monitoring approaches you mentioned are a good topic for another video btw

Does PHP 8.3 is still vulnerable when looking at security concerns?

I always feel .env insecure now I know why

awesome video as always. Two points that might improve security or make life slightly easier in some cases:
1. some cloud providers have a role-based permissions model and allow to assign a role to a VM/function/container. AWS for sure does, not familiar enough with the rest. This eliminates the need to take care of cloud credentials yourself and might even rotate these automatically.
2. containers are a thing of their own to secure, but generally speaking, if there is the absolute minimum required to run an application, and when using the right tools to retrieve secrets (might be the CSI secrets driver for EKS, for example). It might be a bit easier than setting up the admin server(s)

Just go serverless so there's no server to hack. It's worked out perfectly for millions of startups you'll never hear of in your life.

While I admire your paranoid solution, just hearing it gave me a headache. I don't want to maintain that! Ok, I can be persuaded to, but the project would have to be very profitable!

Good content

I"my really bad at taking hints, but what I deduce from this episode is develop our web application using SNOBOL.

Honestly one of the best videos on security I have ever watched. You are truly an expert.

Yes please to the monitoring content! What are you using, something like Grafana?

This is by far my most favorite video on this channel so far. Deep understanding of a topic summarized in an easily digestible way with a ton of actionable advice. Thank you so much!!

Bud, security by obscurity isnt a feature, thats a bug dawg.

Thanks for sharing. 👍🌞

Also good thing to know is attack surface (and trying to minimize it) and mitre Att&ck - just go there and look for companies in similar sector - how those are were hacked on every step

Audio quality great for this one.

Alright kids, Cloud Systems are insecure by nature. You may suggest a method. Most methods are hackable regardless of encryption keys. I m into software and hardware dev. Most vendors retire hardware instead of improving its security . Selling you a new box with bugs not yet discovered 😂 and we can go on and on. You can reduce the risk but never eliminate it. Obscurity is where military personnel gets hired for. But it all go to waste if the hacker worked for the business 😂

amazing content

💐

This was a great lecture. Thanks again for the time spent.

Thank you for not dismissing obscurity entirely. I view security measures as multipliers on the chance of being hacked. If a hacker has to do their own work to hack your system rather than using an existing tool, that greatly reduces the chance, even if not as much as other security measures.

This is extremely valuable info, I committed the info from this video in my long term memory of the brain :D I vow to prioritize security of the software I work on even more than before. This is one of the things that will become more valuable in this era of clueless vibe coders. Future looks bright for us who take the time to watch and understand this type of content.

I would be very interested in a monitoring video. Especially what you think about standards like OpenTelemetry and what you think a sane starting point for monitoring looks like.

i love ur intros

Us DevOps engineers earn more so let that sink in SWEs! 😜

Security by obscurity works great for stuff like a group minecraft server. The amount of login and hacking attempts I got dropped by almost 3 orders of magnitude when I switched ports from the default to something very far from the default. Doesn't matter for players as they all need to go the discord to copy the address anyway. Also ip filtering is very powerful but you can still get ddosed so make sure you have some sort of ddos filtering in front of your application. Learned that lesson the hard way multiple times despite my hatred of cloudflare. Most cloud providers will have ip filtering available in their firewall so use it!

Also nothing beats the convenience of .env files for small projects. Those get baked into containers at build time or at least that's what I do at the moment. Shell access is still an issue though.

Was cool to see your secrets server was very similar to something I did in the late 2000s! Became a headache to manage once the server count started hitting triple digits.

More of this content pls ❤

I was one of the developers who offloaded that previously, but not out of a lack of respect. Quite the opposite since I had team members who used to work in the intelligence community I thought of them being way more qualified solving these things.

where was this 9 months ago 😆