0Pricing
Security+ Academy · Lesson

Secure Secret Management and Environment Variables

Avoid hardcoded secrets in source code by using secrets managers (Vault, AWS Secrets Manager) and environment variable injection at runtime.

The Hardcoded Secret Problem

Hardcoded secrets — API keys, database passwords, TLS private keys, and OAuth tokens embedded directly in source code — are one of the most common and preventable security vulnerabilities. Secrets in source code are exposed in version control history (even after deletion), visible to all developers with repository access, and frequently leaked when repositories are accidentally made public. Tools like GitGuardian and truffleHog continuously scan for leaked secrets on platforms like GitHub.

# DANGEROUS: hardcoded secret in source code
# db_password = 'P@ssw0rd#2026'
# api_key = 'sk-live-abc123xyz789'
# aws_secret = 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'

# These secrets are now:
# - In git history (even if later deleted)
# - Visible to all repo contributors
# - Potentially in CI/CD logs
# - Often leaked when repos go public accidentally

Environment Variables: Better but Not Enough

Environment variables remove secrets from source code by injecting them at runtime through the host OS or container orchestrator. The application reads os.environ['DB_PASSWORD'] rather than a hardcoded value. This is better than hardcoding, but environment variables have weaknesses: they appear in process lists, are inherited by child processes, often end up in crash dumps and debug logs, and require manual rotation. They are appropriate for development but not sufficient alone for production secrets management.

# Environment variable pattern:
# In .env file (NEVER commit to git):
# DB_PASSWORD=P@ssw0rd#2026
# API_KEY=sk-live-abc123xyz789

# In .gitignore:
# .env
# *.env
# .env.*

# In application code:
# db_password = os.environ.get('DB_PASSWORD')
# api_key = os.environ.get('API_KEY')

# Risk: env vars visible in 'ps aux' output,
# inherited by child processes, appear in /proc/<pid>/environ

All lessons in this course

  1. Input Validation and Output Encoding
  2. Secure Secret Management and Environment Variables
  3. Dependency Security and Software Composition Analysis
  4. DevSecOps: Shifting Security Left into Pipelines
← Back to Security+ Academy