Glossary

Hardcoded secrets represent a significant security risk for any application. The term refers to any secret (API key, database URL, or other form of sensitive information) where the secret’s actual value is written directly into the code. Hardcoded secrets remain common because of their convenience, first and foremost. Since the secret’s value is already in the code, it does not need to be configured by the operating system at application launch. Additionally, since the secret is stored directly in the code, there isn’t a risk of version mismatch if a configuration file hasn’t been updated. The secret is already there.

Issues arise if this code is shared anywhere (accidentally or on purpose) while still containing the value of the secret. Should a hacker or malicious agent find the secret, they may then have access to anything that secret is linked to, whether that’s sensitive customer financial or personal health information, continued access to other parts of the application, or the ability to deploy malware into the system itself.

The most common solution against hardcoding secrets is to use environment variables. These dynamic variables represent where a secret will be when the application is configured, but they don’t contain the value of the secret itself. The actual variable is stored elsewhere, in a .env or other configuration file, and is made readily accessible to the application through the operating system. When stored or shared, code contains the environment variable rather than the secret’s actual value.

It’s important to equip your security team with the right tools for success. Firstly, a secure and comprehensive secrets management solution allows developers to use better development practices efficiently, aiding in the dynamic generation, storage, rotation, and revocation of secrets. There are tools that can sweep repositories for previous hardcoded secrets. Routinely scanning your repositories for hardcoded secrets, as well as equipping them with the proper tools to store and transmit environment variables, can help dramatically reduce the risk of data breaches.