/
Secure Coding Practices

Secure Coding Practices

Owned by Sam Eigen
Last updated: Mar 02, 2021
1 min read



Handling Passwords and Secret Keys using Environment Variables

Whether one is programming in a development environment or migrating code to a production environment, a major security risk can be posed when using plaintext for keys, passwords, and secrets in code. When credentials are leaked, attackers can use that to leverage access into systems, environments, and applications which they could use to gain even more access and privileges in these systems. The generally accepted best practice way to remediate this risk is to use environment variables in almost every situation.

Environment variables are a set of dynamic named values, stored within the system that are used by applications launched in shells or subshells. Ultimately, an environment variable is a variable with a name and an associated value that can not be changed within code. It is system specific. 

How to Implement Environment Variables

In a *nix system, the command is: 



export PASSWORD="password”



In a Windows system, the command is:

 set PASSWORD="password”

Referencing the environment variable in different programming languages:

Python:

os.environ.get(PASSWORD)



JavaScript:



C#:



C++:



Java:



Shell/Bash:





These methods are all security best practice and are required in development, test, and production environments.

Related content

Automation Account Variables Should be Encrypted
Automation Account Variables Should be Encrypted
CUIT CyberSecurity
More like this
Encryption Security
Encryption Security
CUIT CyberSecurity
More like this
Linux Vulnerabilities
Linux Vulnerabilities
CUIT CyberSecurity
More like this
Windows Vulnerabilities
Windows Vulnerabilities
CUIT CyberSecurity
More like this
Knowledge Base Articles
Knowledge Base Articles
CUIT CyberSecurity
More like this
Cipher Suites
Cipher Suites
CUIT CyberSecurity
More like this