Sensitive Information in Source Code
Need
Avoid exposure of sensitive data
Context
- Usage of Elixir (1.10 and above) for building scalable and fault-tolerant applications
- Usage of generic packages or server types
Description
Non compliant code
defmodule MySensitiveInfo do
@password 'sensitive_password'
@api_key 'API_KEY'
end
The source code contains sensitive data, including a password and an API key, hardcoded in the code. This is a bad practice as it exposes sensitive information directly in the source code, making it accessible to anyone who can access this code.
Steps
- Delete all hardcoded sensitive information from the source code.
- Change all affected access credentials where these have been exposed.
- Remove sensitive information from git logs if the code has been previously committed.
- Use environment variables or a secure key vault service to manage sensitive data.
Compliant code
defmodule MySensitiveInfo do
@password System.get_env('PASSWORD')
@api_key System.get_env('API_KEY')
end
The revised code now retrieves sensitive data from environment variables, which are set outside of the application and not exposed in the source code. This avoids the direct exposure of sensitive information in the source code.