A security analyst reviews a web application and discovers account details stored directly in the files. The developer claims there is no concern because the repository is restricted. Which measure best addresses the exposure?
Split the encoded credentials into multiple locations so they appear more hidden
Move the credentials to a separate file on the same source repository
Encrypt the credentials in the code with a static key
Purge commit history and use environment variables instead of storing account details in the code
It is important to remove the credentials from the source files and prevent their presence in historical commits. Sensitive data should be stored outside of a tracked repository, such as in environment variables. Deleting or rewriting the old commits and utilizing environment variables means the credentials are not published in source history. Methods such as static key encryption and obfuscation make the strings harder to detect, but they do not address the fundamental issue of committing sensitive data, which can be retrieved from past commits. Storing credentials in a file on the same repository does not solve the underlying exposure.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why are environment variables a better choice for storing sensitive data than source code files?
Open an interactive chat with Bash
What is commit history in a repository, and why does it need to be purged for sensitive data?
Open an interactive chat with Bash
What are the risks of using static key encryption or obfuscation for storing credentials?