ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6335/secrets/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

32 lines
2.1 KiB
Plaintext
Raw Blame History

== Why is this an issue?
Google Cloud service accounts are designed to authenticate and authorize requests to Google APIs.
If your application interacts with Google Cloud services then it requires a service account to access all the resources it needs to function properly. Resources that can be accessed depend on the permission granted to the service account. Establishing the identity of a service account relies on a public/private key pair. It's common for private keys to be distributed through a JSON file that your application will then use to consume Google APIs.
A key may authenticate to a high privilege which has unrestricted access to all resources in your Google Cloud project, including billing information.
== Recommended Secure Coding Practices
Only administrators should have access to the service account key used by your application.
As a consequence, service account keys should not be stored along with the application code as they would grant special privileges to anyone who has access to the application source code.
Keys should be stored outside of the code in a file that is never committed to your application code repository.
If possible, a better alternative is to use your cloud provider's service for managing secrets. On Google Cloud this service is called https://cloud.google.com/secret-manager[Secret Manager].
When keys are disclosed in the application code, consider them as compromised and revoke them immediately.
== Resources
* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures
* https://cloud.google.com/iam/docs/creating-managing-service-account-keys[Google Cloud] - Creating and managing service account keys
* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
* https://cwe.mitre.org/data/definitions/798[MITRE, CWE-798] - Use of Hard-coded Credentials
* https://cwe.mitre.org/data/definitions/259[MITRE, CWE-259] - Use of Hard-coded Password
* https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses
Reference in New Issue View Git Blame Copy Permalink