DL
Uploaded byDana Luther
PDF, PPTX130 views

Keep it Secret, Keep it Safe - Docker Secrets and DI

The document discusses various methods for managing sensitive credentials in application development, specifically focusing on Docker secrets, dependency injection, and best practices for securing APIs. It emphasizes the importance of protecting file-based, variable, and API credential strings, demonstrating code examples for improved security. Furthermore, it outlines Docker's capabilities in creating secure environments for sensitive information, while also cautioning against common pitfalls in credential management.

Embed presentation

Download as PDF, PPTX
@danaluther Keep it Secret, Keep it Safe Docker Secrets and DI (Containers) https://joind.in/talk/78c5b https://github.com/DanaLuther/kiskis
@danaluther What are we keeping secret? All the things? (no… but de fi nitely the important things)
@danaluther What are we keeping secret? All the things? (no… but de fi nitely the important things) • File Based Credentials
@danaluther What are we keeping secret? All the things? (no… but de fi nitely the important things) • File Based Credentials • SSH key fi les
@danaluther What are we keeping secret? All the things? (no… but de fi nitely the important things) • File Based Credentials • SSH key fi les • Json auth fi les
@danaluther What are we keeping secret? All the things? (no… but de fi nitely the important things) • File Based Credentials • SSH key fi les • Json auth fi les • Variable Credentials
@danaluther What are we keeping secret? All the things? (no… but de fi nitely the important things) • File Based Credentials • SSH key fi les • Json auth fi les • Variable Credentials • API keys and tokens
@danaluther What are we keeping secret? All the things? (no… but de fi nitely the important things) • File Based Credentials • SSH key fi les • Json auth fi les • Variable Credentials • API keys and tokens • Any value that could compromise security / grant access to your data or accounts.
@danaluther Isn't it already safe? …Ish. It depends - how are you storing it currently?
@danaluther Isn't it already safe? …Ish. It depends - how are you storing it currently? • Storing credentials directly into a repo
@danaluther Isn't it already safe? …Ish. It depends - how are you storing it currently? • Storing credentials directly into a repo • Readable by anyone with access to that repo
@danaluther Isn't it already safe? …Ish. It depends - how are you storing it currently? • Storing credentials directly into a repo • Readable by anyone with access to that repo • Exposed in coverage reports or anything that includes the source code in analysis or reporting displays
@danaluther Isn't it already safe? …Ish. It depends - how are you storing it currently? • Storing credentials directly into a repo • Readable by anyone with access to that repo • Exposed in coverage reports or anything that includes the source code in analysis or reporting displays • Storing credentials in ENV variables
@danaluther Isn't it already safe? …Ish. It depends - how are you storing it currently? • Storing credentials directly into a repo • Readable by anyone with access to that repo • Exposed in coverage reports or anything that includes the source code in analysis or reporting displays • Storing credentials in ENV variables • Exposed via phpinfo, server dumps, or to anyone who has compromised the server
@danaluther Isn't it already safe? …Ish. It depends - how are you storing it currently? • Storing credentials directly into a repo • Readable by anyone with access to that repo • Exposed in coverage reports or anything that includes the source code in analysis or reporting displays • Storing credentials in ENV variables • Exposed via phpinfo, server dumps, or to anyone who has compromised the server • Not static and has the potential to be modi fi ed nefariously
@danaluther Does it really matter? I don’t know … does it?
@danaluther Does it really matter? I don’t know … does it? • How important is the service or information being used?
@danaluther Does it really matter? I don’t know … does it? • How important is the service or information being used? • How big is the impact if that service is accessed by another?
@danaluther Does it really matter? I don’t know … does it? • How important is the service or information being used? • How big is the impact if that service is accessed by another? • Is the credential the sole key to access, or is does the service have additional factors in play?
@danaluther Does it really matter? I don’t know … does it? • How important is the service or information being used? • How big is the impact if that service is accessed by another? • Is the credential the sole key to access, or is does the service have additional factors in play? • What is the risk level compared to the technical debt?
@danaluther Does it really matter? I don’t know … does it? • How important is the service or information being used? • How big is the impact if that service is accessed by another? • Is the credential the sole key to access, or is does the service have additional factors in play? • What is the risk level compared to the technical debt? • Does the information get published into your application as part of the public UI?
@danaluther Sample API Object Class with public API credential property class SampleObject { public string $myApiKey = 'ABC1234'; public function connect() { / / Do something with $myApiKey here } }
@danaluther Sample API Object Class with public API credential property class SampleObject { public string $myApiKey = 'ABC1234'; public function connect() { / / Do something with $myApiKey here } } new ExampleSampleObject()
@danaluther Sample API Object v2 Class with API credential property class SampleObjectMoreSecure { private string $myApiKey = 'ABC1234'; public function connect() { / / Do something with $myApiKey here } }
@danaluther Sample API Object v2 Class with API credential property class SampleObjectMoreSecure { private string $myApiKey = 'ABC1234'; public function connect() { / / Do something with $myApiKey here } } new ExampleSampleObjectMoreSecure()
@danaluther Sample API Object v3 Class with constructed private API credential property class SampleObjectConstructed { private string $_myApiKey; public function __construct(string $apiKey) { $this - > _myApiKey = $apiKey; } public function connect() { / / Do something } }
@danaluther Sample API Object v3 Class with constructed private API credential property class SampleObjectConstructed { private string $_myApiKey; public function __construct(string $apiKey) { $this - > _myApiKey = $apiKey; } public function connect() { / / Do something } } new ExampleSampleObjectConstructed('Someothervalue')
@danaluther Sample API Object v3 with $_ENV Class with constructed private API credential property class SampleObjectConstructed { private string $_myApiKey; public function __construct(string $apiKey) { $this - > _myApiKey = $apiKey; } public function connect() { / / Do something } }
@danaluther Sample API Object v3 with $_ENV Class with constructed private API credential property class SampleObjectConstructed { private string $_myApiKey; public function __construct(string $apiKey) { $this - > _myApiKey = $apiKey; } public function connect() { / / Do something } } new ExampleSampleObjectConstructed($_ENV['MY_SECRET_KEY'])
@danaluther Sample API Object v3 with $_ENV Class with constructed private API credential property class SampleObjectConstructed { private string $_myApiKey; public function __construct(string $apiKey) { $this - > _myApiKey = $apiKey; } public function connect() { / / Do something } } new ExampleSampleObjectConstructed($_ENV['MY_SECRET_KEY'])
@danaluther Dependency Injection Containers So, what is it and how does it help us??
@danaluther Dependency Injection Containers So, what is it and how does it help us?? • Does NOT help to solve the issue of fi le based credentials.
@danaluther Dependency Injection Containers So, what is it and how does it help us?? • Does NOT help to solve the issue of fi le based credentials. • Does help to solve the issue of class based or variable credential strings.
@danaluther Dependency Injection Containers So, what is it and how does it help us?? • Does NOT help to solve the issue of fi le based credentials. • Does help to solve the issue of class based or variable credential strings. • Creates a map that de fi nes the default properties to be assigned to an object when that object is created via the container.
@danaluther Don’t reinvent the wheel. https://packagist.org
@danaluther Add your DI package to composer composer.json { "require": { "yiisoft/di": "^3.0.x - dev", "yiisoft/injector": "^1.0", "yiisoft/definitions": "^3.0.x - dev" } }
@danaluther Install the composer packages docker run --rm -v $PWD:/app composer update https://hub.docker.com/_/composer
@danaluther Sample API Object v3 with $_ENV via DI Constructor moved to DI Container require 'vendor/autoload.php'; use YiisoftDiContainer; $container = new Container([ ExampleSampleObjectConstructed : : class = > [ 'class' = > ExampleSampleObjectConstructed : : class, '__construct()' = > [$_ENV['MY_SECRET_KEY']] ], ]);
@danaluther Sample API Object v3 with $_ENV via DI Constructor moved to DI Container require 'vendor/autoload.php'; use YiisoftDiContainer; $container = new Container([ ExampleSampleObjectConstructed : : class = > [ 'class' = > ExampleSampleObjectConstructed : : class, '__construct()' = > [$_ENV['MY_SECRET_KEY']] ], ]);
@danaluther Sample API Object v3 with $_ENV via DI Constructor moved to DI Container require 'vendor/autoload.php'; use YiisoftDiContainer; $container = new Container([ ExampleSampleObjectConstructed : : class = > [ 'class' = > ExampleSampleObjectConstructed : : class, '__construct()' = > [$_ENV['MY_SECRET_KEY']] ], ]); $container - > get(ExampleSampleObjectConstructed : : class)
@danaluther But is it secret? Is it safe? Lets check those $_ENV vars …
@danaluther But is it secret? Is it safe? Lets check those $_ENV vars …
@danaluther Docker Secrets What are they and how do they help us?
@danaluther Docker Secrets What are they and how do they help us? • Does help to solve the issue of fi le based credentials.
@danaluther Docker Secrets What are they and how do they help us? • Does help to solve the issue of fi le based credentials. • Does help to solve the issue of class based or variable credential strings.
@danaluther Docker Secrets What are they and how do they help us? • Does help to solve the issue of fi le based credentials. • Does help to solve the issue of class based or variable credential strings. • Created as elements of a Docker stack and written to read-only fi les in the container they are attached to.
@danaluther Docker Secrets What are they and how do they help us? • Does help to solve the issue of fi le based credentials. • Does help to solve the issue of class based or variable credential strings. • Created as elements of a Docker stack and written to read-only fi les in the container they are attached to. • Can only be be modi fi ed by the stack when a new container is created.
@danaluther Docker Secrets What are they and how do they help us? • Does help to solve the issue of fi le based credentials. • Does help to solve the issue of class based or variable credential strings. • Created as elements of a Docker stack and written to read-only fi les in the container they are attached to. • Can only be be modi fi ed by the stack when a new container is created. • Cannot be exposed through inspection via the stack or parent machine. Only visible in the container where it has been mounted.
@danaluther What is Docker? (Jumped ahead there didn’t I…) https://www.docker.com
@danaluther What is Docker? Docker Hierarchy https://hub.docker.com
@danaluther What is Docker? Docker Hierarchy Image Container Service Stack https://hub.docker.com
@danaluther Basic Stack for PHP Apache on :8080 docker-compose.yml https://docs.docker.com/compose/compose- fi le/ version: “3.7" services: php: image: php:7.4-apache ports: - 8080 : 80 volumes: - ./src:/var/ w w w /html
@danaluther version: “3.7" services: php: image: php:7.4-apache ports: - 8080 : 80 volumes: - ./src:/var/ w w w /html command:[ ‘bash’, ‘ - c’, ‘docker - php - ext - install - j$$(nproc) mysqli pdo_mysql & & apache2-foreground’ ] db: image: mysql environment: - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_pwd secrets: - db_pwd secrets: db_pwd: file: ./root_db_password.txt
@danaluther version: “3.7" services: php: image: php:8.0-apache ports: - 8080 : 80 volumes: - ./src:/var/ w w w /html command:[ ‘bash’, ‘ - c’, ‘docker - php - ext - install - j$$(nproc) mysqli pdo_mysql & & apache2-foreground’ ] db: image: mysql environment: - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_pwd secrets: - db_pwd secrets: db_pwd: file: ./root_db_password.txt
@danaluther version: “3.7" services: php: image: php:8.1-rc—apache ports: - 8080 : 80 volumes: - ./src:/var/ w w w /html command:[ ‘bash’, ‘ - c’, ‘docker - php - ext - install - j$$(nproc) mysqli pdo_mysql & & apache2-foreground’ ] db: image: mysql environment: - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_pwd secrets: - db_pwd secrets: db_pwd: file: ./root_db_password.txt
@danaluther Deploy the Stack on a Swarm (Group of machines … or just one machine) > docker stack deploy - c docker - compose-8.yml test > docker swarm init
@danaluther Voila! http://localhost:8080
@danaluther Voila! http://localhost:8080
@danaluther No swarm? No problem… > docker - compose up (Well, mostly no problem. No services list, secrets list, etc)
@danaluther No swarm? No problem… > docker - compose up (Well, mostly no problem. No services list, secrets list, etc)
@danaluther
@danaluther Creating a Docker Secret The secret is in the stack… … db: image: mysql environment: - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_pwd secrets: - db_pwd secrets: db_pwd: file: ./root_db_password.txt
@danaluther Creating a Docker Secret The secret is in the stack… … db: image: mysql environment: - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_pwd secrets: - db_pwd secrets: db_pwd: file: ./root_db_password.txt
@danaluther Check the containers… docker container ls
@danaluther Check the containers… docker container ls
@danaluther Inspect the container for the secret docker container inspect
@danaluther Inspect the container for the secret docker container inspect > docker container inspect $(docker ps - lq - f name=test_db) > docker container inspect ff8dc39f919f > docker container inspect test_db.1.l8enz0qx7x8zci4156gh7i0qy
@danaluther Inspect the container for the secret docker container inspect > docker container inspect kiskis_db_1 > docker container inspect 378020331e87 > docker container inspect $(docker ps - lq - f name=test_db) > docker container inspect ff8dc39f919f > docker container inspect test_db.1.l8enz0qx7x8zci4156gh7i0qy
@danaluther Inspect the container for the secret docker container inspect
@danaluther Inspect the container for the secret docker container inspect
@danaluther Inspect the container for the secret docker container inspect
@danaluther What's actually in the Secret?
@danaluther What's actually in the Secret?
@danaluther Can the container change the secret? Nope!!
@danaluther Can *I* change the secret? Yes, yes I can.
@danaluther Can *I* change the secret? Yes, yes I can. If I used docker stack deploy.
@danaluther Updating a Docker Secret (Ok, you can’t actually update it, you have to replace it.) > docker secret create db_pwd.2 updatedcontent.txt
@danaluther Updating a Docker Secret (Ok, you can’t actually update it, you have to replace it.) > docker service update - - secret - rm test_db_pwd - - secret - add src=db_pwd.2,target=db_pwd test_db
@danaluther Confirm the update Updating the service launched a new container with a new secret. New: Original:
@danaluther Great, but I don’t care about the database… Right - lets put the secret to use in our DI container
@danaluther Great, but I don’t care about the database… Right - lets put the secret to use in our DI container
@danaluther Sample API Object v3 with $_ENV via DI Constructor moved to DI Container require 'vendor/autoload.php'; use YiisoftDiContainer; $container = new Container([ ExampleSampleObjectConstructed : : class = > [ 'class' = > ExampleSampleObjectConstructed : : class, '__construct()' = > [$_ENV['MY_SECRET_KEY']] ], ]); $container - > get(ExampleSampleObjectConstructed : : class)
@danaluther Sample API Object v3 with $_ENV via DI Constructor moved to DI Container require 'vendor/autoload.php'; use YiisoftDiContainer; $container = new Container([ ExampleSampleObjectConstructed : : class = > [ 'class' = > ExampleSampleObjectConstructed : : class, '__construct()' = > [$_ENV['MY_SECRET_KEY']] ], ]); $container - > get(ExampleSampleObjectConstructed : : class)
@danaluther PHP stack with secrets version: "3.7" services: php: image: php:8.1-rc - apache ports: - 8081 : 80 volumes: - ./src:/var/ w w w /html environment: - MY_SECRET_KEY=SomeKeyValue secrets: - hiddenkey - hiddenkey2 secrets: hiddenkey: file: ./secrets/secret - key - val.txt hiddenkey2 : file: ./secrets/secret - key - val2.txt
@danaluther Deploy the Stack on a Swarm (Don’t need to init, just re-deploy for updates) > docker stack deploy - c docker - compose-8-1-nodb.yml test
@danaluther Sample API Object v3 with secret via DI Container populated from secret require 'vendor/autoload.php'; use YiisoftDiContainer; $container = new Container([ ExampleSampleObjectConstructed : : class = > [ 'class' = > ExampleSampleObjectConstructed : : class, '__construct()' = > [file_get_contents('/run/secrets/hiddenkey')] ], ]);
@danaluther Sample API Object v3 with secret via DI Container populated from secret require 'vendor/autoload.php'; use YiisoftDiContainer; $container = new Container([ ExampleSampleObjectConstructed : : class = > [ 'class' = > ExampleSampleObjectConstructed : : class, '__construct()' = > [file_get_contents('/run/secrets/hiddenkey')] ], ]); $container - > get(ExampleSampleObjectConstructed : : class)
@danaluther Define multiple objects in the container Multiple classes, multiple con fi gurations of one class $container = new Container([ ExampleSampleObjectConstructed : : class = > [ 'class' = > ExampleSampleObjectConstructed : : class, '__construct()' = > [file_get_contents('/run/secrets/hiddenkey')] ], ExamplePartnerConfigIdentifier : : OPT_CONFIG_1 = > [ 'class' = > ExampleSampleObjectConstructed : : class, '__construct()' = > [file_get_contents('/run/secrets/hiddenkey2')] ], ExamplePartnerConfigIdentifier : : OPT_CONFIG_2 = > [ 'class' = > ExampleSampleObjectConstructed : : class, '__construct()' = > ['You can read me in the source repo.'] ], ]);
@danaluther Using constants to keep things tidy (Yes, it wants to be an enum, but we’re 7.4 compatible currently) class PartnerConfigIdentifier { public const DEFAULT_CONFIG = self : : class.':default'; public const OPT_CONFIG_1 = self : : class.':opt1'; public const OPT_CONFIG_2 = self : : class.':opt2'; public const OPT_CONFIG_3 = self : : class.':opt3'; }
@danaluther Using constants to keep things tidy (Yes, it wants to be an enum, but we’re 7.4 compatible currently) class PartnerConfigIdentifier { public const DEFAULT_CONFIG = self : : class.':default'; public const OPT_CONFIG_1 = self : : class.':opt1'; public const OPT_CONFIG_2 = self : : class.':opt2'; public const OPT_CONFIG_3 = self : : class.':opt3'; }
@danaluther Create multiple objects via the container $container - > get(ExampleSampleObjectConstructed : : class); $container - > get(ExamplePartnerConfigIdentifier : : OPT_CONFIG_1); $container - > get(ExamplePartnerConfigIdentifier : : OPT_CONFIG_2);
@danaluther Questions?? Ask now or tweet at me if you think of it later! https://www.linkedin.com/in/danaluther dluther@envisageinternational.com https://joind.in/talk/78c5b 🤔 ? ? ? ? https://github.com/DanaLuther/kiskis

More Related Content

PPTX
Getting the Most Out of jQuery Widgets
byvelveeta_512
 
PDF
WCLV13 JavaScript
byJeffrey Zinn
 
PPTX
jQuery from the very beginning
byAnis Ahmad
 
KEY
Motion Django Meetup
byMike Malone
 
PDF
Api Design
bysumithra jonnalagadda
 
PDF
深入淺出 MVC
byJace Ju
 
PPTX
Maintainable JavaScript 2012
byNicholas Zakas
 
ODP
Creating fast, dynamic ACLs in Zend Framework
byWim Godden
 
Getting the Most Out of jQuery Widgets
byvelveeta_512
 
WCLV13 JavaScript
byJeffrey Zinn
 
jQuery from the very beginning
byAnis Ahmad
 
Motion Django Meetup
byMike Malone
 
Api Design
bysumithra jonnalagadda
 
深入淺出 MVC
byJace Ju
 
Maintainable JavaScript 2012
byNicholas Zakas
 
Creating fast, dynamic ACLs in Zend Framework
byWim Godden
 

What's hot

ODP
Creating fast, dynamic ACLs in Zend Framework (Zend Webinar)
byWim Godden
 
PDF
Writing a REST Interconnection Library in Swift
byPablo Villar
 
PDF
Zf2 how arrays will save your project
byMichelangelo van Dam
 
PPT
Jsp
byManav Prasad
 
PDF
Realize mais com HTML 5 e CSS 3 - 16 EDTED - RJ
byLeonardo Balter
 
PPTX
jQuery PPT
byDominic Arrojado
 
PDF
Expression Language in JSP
bycorneliuskoo
 
PDF
Real World Dependency Injection - oscon13
byStephan Hochdörfer
 
PDF
Metrics-Driven Engineering at Etsy
byMike Brittain
 
PDF
Your Business. Your Language. Your Code - dpc13
byStephan Hochdörfer
 
PDF
Puppet Camp Portland 2015: Introduction to Hiera (Beginner)
byPuppet
 
PDF
Doing the Refactor Dance - Making Your Puppet Modules More Modular - PuppetCo...
byPuppet
 
PPTX
API Design Antipatterns - APICon SF
byManish Pandit
 
PDF
Refactor Dance - Puppet Labs 'Best Practices'
byGary Larizza
 
PDF
jQuery Features to Avoid
bydmethvin
 
PDF
Yii, frameworks and where PHP is heading to
byAlexander Makarov
 
PPTX
Unobtrusive javascript with jQuery
byAngel Ruiz
 
PDF
George Thiruvathukal, User Experiences with Plone Content Management
bywebcontent2007
 
PDF
Puppet Camp Sydney 2015: The (Im)perfect Puppet Module
byPuppet
 
Creating fast, dynamic ACLs in Zend Framework (Zend Webinar)
byWim Godden
 
Writing a REST Interconnection Library in Swift
byPablo Villar
 
Zf2 how arrays will save your project
byMichelangelo van Dam
 
Jsp
byManav Prasad
 
Realize mais com HTML 5 e CSS 3 - 16 EDTED - RJ
byLeonardo Balter
 
jQuery PPT
byDominic Arrojado
 
Expression Language in JSP
bycorneliuskoo
 
Real World Dependency Injection - oscon13
byStephan Hochdörfer
 
Metrics-Driven Engineering at Etsy
byMike Brittain
 
Your Business. Your Language. Your Code - dpc13
byStephan Hochdörfer
 
Puppet Camp Portland 2015: Introduction to Hiera (Beginner)
byPuppet
 
Doing the Refactor Dance - Making Your Puppet Modules More Modular - PuppetCo...
byPuppet
 
API Design Antipatterns - APICon SF
byManish Pandit
 
Refactor Dance - Puppet Labs 'Best Practices'
byGary Larizza
 
jQuery Features to Avoid
bydmethvin
 
Yii, frameworks and where PHP is heading to
byAlexander Makarov
 
Unobtrusive javascript with jQuery
byAngel Ruiz
 
George Thiruvathukal, User Experiences with Plone Content Management
bywebcontent2007
 
Puppet Camp Sydney 2015: The (Im)perfect Puppet Module
byPuppet
 

Similar to Keep it Secret, Keep it Safe - Docker Secrets and DI

PDF
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
byapidays
 
PPTX
Microservices security - jpmc tech fest 2018
byMOnCloud
 
PDF
CIS14: Best Practices You Must Apply to Secure Your APIs
byCloudIDSummit
 
PPTX
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
byCA API Management
 
PDF
Introduction to DI(C)
byRadek Benkel
 
PDF
Identiverse 2018 nathanael coffing
byJoshuaCiccone2
 
PPTX
Cybercrime and the developer 2021 style
bySteve Poole
 
PDF
Credential store using HashiCorp Vault
byMayank Patel
 
PDF
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
byapidays
 
PDF
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
byMary Racter
 
PDF
Cryptography with Zend Framework
byEnrico Zimuel
 
PDF
Strong cryptography in PHP
byEnrico Zimuel
 
KEY
IoC with PHP
byChris Weldon
 
PDF
Practical API Security - Midwest PHP 2018
byAdam Englander
 
PDF
Protecting Your APIs Against Attack & Hijack
byCA API Management
 
PPTX
2022 APIsecure_Securing APIs with Open Standards
byAPIsecure_ Official
 
PPTX
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
byCA API Management
 
PDF
WebApp_to_Container_Security.pdf
byAnna Pasupathy, CISSP
 
PDF
GHC18 Abstract - API Security, a Grail Quest
byPaulaPaulSlides
 
PDF
Securing Your Database Dynamic DB Credentials
byDevOps Indonesia
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
byapidays
 
Microservices security - jpmc tech fest 2018
byMOnCloud
 
CIS14: Best Practices You Must Apply to Secure Your APIs
byCloudIDSummit
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
byCA API Management
 
Introduction to DI(C)
byRadek Benkel
 
Identiverse 2018 nathanael coffing
byJoshuaCiccone2
 
Cybercrime and the developer 2021 style
bySteve Poole
 
Credential store using HashiCorp Vault
byMayank Patel
 
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
byapidays
 
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
byMary Racter
 
Cryptography with Zend Framework
byEnrico Zimuel
 
Strong cryptography in PHP
byEnrico Zimuel
 
IoC with PHP
byChris Weldon
 
Practical API Security - Midwest PHP 2018
byAdam Englander
 
Protecting Your APIs Against Attack & Hijack
byCA API Management
 
2022 APIsecure_Securing APIs with Open Standards
byAPIsecure_ Official
 
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
byCA API Management
 
WebApp_to_Container_Security.pdf
byAnna Pasupathy, CISSP
 
GHC18 Abstract - API Security, a Grail Quest
byPaulaPaulSlides
 
Securing Your Database Dynamic DB Credentials
byDevOps Indonesia
 

More from Dana Luther

PDF
Convert Your Dev Environment to a Docker Stack - PHP Tek 2025.pdf
byDana Luther
 
PDF
Enums In the Wild at PHP[tek] Conference 2025
byDana Luther
 
PDF
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
byDana Luther
 
PDF
How to analyze your codebase with Exakat using Docker - Longhorn PHP
byDana Luther
 
PDF
Integrated Feature Management - Using Feature Flags - PHPSerbia
byDana Luther
 
PDF
Integrated Feature Management - Using Feature Flags - MidwestPHP
byDana Luther
 
PDF
Integrated Feature Management - Using Feature Flags - SunshinePHP
byDana Luther
 
PDF
Hands on Docker - Launch your own LEMP or LAMP stack - SunshinePHP
byDana Luther
 
PDF
Hands on Docker - Launch your own LEMP or LAMP stack
byDana Luther
 
PDF
Converting Your Dev Environment to a Docker Stack - php[world]
byDana Luther
 
PDF
Converting Your Dev Environment to a Docker Stack - Cascadia
byDana Luther
 
PDF
Converting your DEV Environment to a Docker Stack - ZCOE18
byDana Luther
 
PDF
Converting Your DEV Environment to a Docker Stack
byDana Luther
 
PDF
Code Coverage for Total Security in Application Migrations
byDana Luther
 
Convert Your Dev Environment to a Docker Stack - PHP Tek 2025.pdf
byDana Luther
 
Enums In the Wild at PHP[tek] Conference 2025
byDana Luther
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
byDana Luther
 
How to analyze your codebase with Exakat using Docker - Longhorn PHP
byDana Luther
 
Integrated Feature Management - Using Feature Flags - PHPSerbia
byDana Luther
 
Integrated Feature Management - Using Feature Flags - MidwestPHP
byDana Luther
 
Integrated Feature Management - Using Feature Flags - SunshinePHP
byDana Luther
 
Hands on Docker - Launch your own LEMP or LAMP stack - SunshinePHP
byDana Luther
 
Hands on Docker - Launch your own LEMP or LAMP stack
byDana Luther
 
Converting Your Dev Environment to a Docker Stack - php[world]
byDana Luther
 
Converting Your Dev Environment to a Docker Stack - Cascadia
byDana Luther
 
Converting your DEV Environment to a Docker Stack - ZCOE18
byDana Luther
 
Converting Your DEV Environment to a Docker Stack
byDana Luther
 
Code Coverage for Total Security in Application Migrations
byDana Luther
 

Keep it Secret, Keep it Safe - Docker Secrets and DI

  • 1.
    @danaluther Keep it Secret,Keep it Safe Docker Secrets and DI (Containers) https://joind.in/talk/78c5b https://github.com/DanaLuther/kiskis
  • 2.
    @danaluther What are wekeeping secret? All the things? (no… but de fi nitely the important things)
  • 3.
    @danaluther What are wekeeping secret? All the things? (no… but de fi nitely the important things) • File Based Credentials
  • 4.
    @danaluther What are wekeeping secret? All the things? (no… but de fi nitely the important things) • File Based Credentials • SSH key fi les
  • 5.
    @danaluther What are wekeeping secret? All the things? (no… but de fi nitely the important things) • File Based Credentials • SSH key fi les • Json auth fi les
  • 6.
    @danaluther What are wekeeping secret? All the things? (no… but de fi nitely the important things) • File Based Credentials • SSH key fi les • Json auth fi les • Variable Credentials
  • 7.
    @danaluther What are wekeeping secret? All the things? (no… but de fi nitely the important things) • File Based Credentials • SSH key fi les • Json auth fi les • Variable Credentials • API keys and tokens
  • 8.
    @danaluther What are wekeeping secret? All the things? (no… but de fi nitely the important things) • File Based Credentials • SSH key fi les • Json auth fi les • Variable Credentials • API keys and tokens • Any value that could compromise security / grant access to your data or accounts.
  • 9.
    @danaluther Isn't it alreadysafe? …Ish. It depends - how are you storing it currently?
  • 10.
    @danaluther Isn't it alreadysafe? …Ish. It depends - how are you storing it currently? • Storing credentials directly into a repo
  • 11.
    @danaluther Isn't it alreadysafe? …Ish. It depends - how are you storing it currently? • Storing credentials directly into a repo • Readable by anyone with access to that repo
  • 12.
    @danaluther Isn't it alreadysafe? …Ish. It depends - how are you storing it currently? • Storing credentials directly into a repo • Readable by anyone with access to that repo • Exposed in coverage reports or anything that includes the source code in analysis or reporting displays
  • 13.
    @danaluther Isn't it alreadysafe? …Ish. It depends - how are you storing it currently? • Storing credentials directly into a repo • Readable by anyone with access to that repo • Exposed in coverage reports or anything that includes the source code in analysis or reporting displays • Storing credentials in ENV variables
  • 14.
    @danaluther Isn't it alreadysafe? …Ish. It depends - how are you storing it currently? • Storing credentials directly into a repo • Readable by anyone with access to that repo • Exposed in coverage reports or anything that includes the source code in analysis or reporting displays • Storing credentials in ENV variables • Exposed via phpinfo, server dumps, or to anyone who has compromised the server
  • 15.
    @danaluther Isn't it alreadysafe? …Ish. It depends - how are you storing it currently? • Storing credentials directly into a repo • Readable by anyone with access to that repo • Exposed in coverage reports or anything that includes the source code in analysis or reporting displays • Storing credentials in ENV variables • Exposed via phpinfo, server dumps, or to anyone who has compromised the server • Not static and has the potential to be modi fi ed nefariously
  • 16.
    @danaluther Does it reallymatter? I don’t know … does it?
  • 17.
    @danaluther Does it reallymatter? I don’t know … does it? • How important is the service or information being used?
  • 18.
    @danaluther Does it reallymatter? I don’t know … does it? • How important is the service or information being used? • How big is the impact if that service is accessed by another?
  • 19.
    @danaluther Does it reallymatter? I don’t know … does it? • How important is the service or information being used? • How big is the impact if that service is accessed by another? • Is the credential the sole key to access, or is does the service have additional factors in play?
  • 20.
    @danaluther Does it reallymatter? I don’t know … does it? • How important is the service or information being used? • How big is the impact if that service is accessed by another? • Is the credential the sole key to access, or is does the service have additional factors in play? • What is the risk level compared to the technical debt?
  • 21.
    @danaluther Does it reallymatter? I don’t know … does it? • How important is the service or information being used? • How big is the impact if that service is accessed by another? • Is the credential the sole key to access, or is does the service have additional factors in play? • What is the risk level compared to the technical debt? • Does the information get published into your application as part of the public UI?
  • 22.
    @danaluther Sample API Object Classwith public API credential property class SampleObject { public string $myApiKey = 'ABC1234'; public function connect() { / / Do something with $myApiKey here } }
  • 23.
    @danaluther Sample API Object Classwith public API credential property class SampleObject { public string $myApiKey = 'ABC1234'; public function connect() { / / Do something with $myApiKey here } } new ExampleSampleObject()
  • 24.
    @danaluther Sample API Objectv2 Class with API credential property class SampleObjectMoreSecure { private string $myApiKey = 'ABC1234'; public function connect() { / / Do something with $myApiKey here } }
  • 25.
    @danaluther Sample API Objectv2 Class with API credential property class SampleObjectMoreSecure { private string $myApiKey = 'ABC1234'; public function connect() { / / Do something with $myApiKey here } } new ExampleSampleObjectMoreSecure()
  • 26.
    @danaluther Sample API Objectv3 Class with constructed private API credential property class SampleObjectConstructed { private string $_myApiKey; public function __construct(string $apiKey) { $this - > _myApiKey = $apiKey; } public function connect() { / / Do something } }
  • 27.
    @danaluther Sample API Objectv3 Class with constructed private API credential property class SampleObjectConstructed { private string $_myApiKey; public function __construct(string $apiKey) { $this - > _myApiKey = $apiKey; } public function connect() { / / Do something } } new ExampleSampleObjectConstructed('Someothervalue')
  • 28.
    @danaluther Sample API Objectv3 with $_ENV Class with constructed private API credential property class SampleObjectConstructed { private string $_myApiKey; public function __construct(string $apiKey) { $this - > _myApiKey = $apiKey; } public function connect() { / / Do something } }
  • 29.
    @danaluther Sample API Objectv3 with $_ENV Class with constructed private API credential property class SampleObjectConstructed { private string $_myApiKey; public function __construct(string $apiKey) { $this - > _myApiKey = $apiKey; } public function connect() { / / Do something } } new ExampleSampleObjectConstructed($_ENV['MY_SECRET_KEY'])
  • 30.
    @danaluther Sample API Objectv3 with $_ENV Class with constructed private API credential property class SampleObjectConstructed { private string $_myApiKey; public function __construct(string $apiKey) { $this - > _myApiKey = $apiKey; } public function connect() { / / Do something } } new ExampleSampleObjectConstructed($_ENV['MY_SECRET_KEY'])
  • 31.
    @danaluther Dependency Injection Containers So,what is it and how does it help us??
  • 32.
    @danaluther Dependency Injection Containers So,what is it and how does it help us?? • Does NOT help to solve the issue of fi le based credentials.
  • 33.
    @danaluther Dependency Injection Containers So,what is it and how does it help us?? • Does NOT help to solve the issue of fi le based credentials. • Does help to solve the issue of class based or variable credential strings.
  • 34.
    @danaluther Dependency Injection Containers So,what is it and how does it help us?? • Does NOT help to solve the issue of fi le based credentials. • Does help to solve the issue of class based or variable credential strings. • Creates a map that de fi nes the default properties to be assigned to an object when that object is created via the container.
  • 35.
    @danaluther Don’t reinvent thewheel. https://packagist.org
  • 36.
    @danaluther Add your DIpackage to composer composer.json { "require": { "yiisoft/di": "^3.0.x - dev", "yiisoft/injector": "^1.0", "yiisoft/definitions": "^3.0.x - dev" } }
  • 37.
    @danaluther Install the composerpackages docker run --rm -v $PWD:/app composer update https://hub.docker.com/_/composer
  • 38.
    @danaluther Sample API Objectv3 with $_ENV via DI Constructor moved to DI Container require 'vendor/autoload.php'; use YiisoftDiContainer; $container = new Container([ ExampleSampleObjectConstructed : : class = > [ 'class' = > ExampleSampleObjectConstructed : : class, '__construct()' = > [$_ENV['MY_SECRET_KEY']] ], ]);
  • 39.
    @danaluther Sample API Objectv3 with $_ENV via DI Constructor moved to DI Container require 'vendor/autoload.php'; use YiisoftDiContainer; $container = new Container([ ExampleSampleObjectConstructed : : class = > [ 'class' = > ExampleSampleObjectConstructed : : class, '__construct()' = > [$_ENV['MY_SECRET_KEY']] ], ]);
  • 40.
    @danaluther Sample API Objectv3 with $_ENV via DI Constructor moved to DI Container require 'vendor/autoload.php'; use YiisoftDiContainer; $container = new Container([ ExampleSampleObjectConstructed : : class = > [ 'class' = > ExampleSampleObjectConstructed : : class, '__construct()' = > [$_ENV['MY_SECRET_KEY']] ], ]); $container - > get(ExampleSampleObjectConstructed : : class)
  • 41.
    @danaluther But is itsecret? Is it safe? Lets check those $_ENV vars …
  • 42.
    @danaluther But is itsecret? Is it safe? Lets check those $_ENV vars …
  • 43.
    @danaluther Docker Secrets What arethey and how do they help us?
  • 44.
    @danaluther Docker Secrets What arethey and how do they help us? • Does help to solve the issue of fi le based credentials.
  • 45.
    @danaluther Docker Secrets What arethey and how do they help us? • Does help to solve the issue of fi le based credentials. • Does help to solve the issue of class based or variable credential strings.
  • 46.
    @danaluther Docker Secrets What arethey and how do they help us? • Does help to solve the issue of fi le based credentials. • Does help to solve the issue of class based or variable credential strings. • Created as elements of a Docker stack and written to read-only fi les in the container they are attached to.
  • 47.
    @danaluther Docker Secrets What arethey and how do they help us? • Does help to solve the issue of fi le based credentials. • Does help to solve the issue of class based or variable credential strings. • Created as elements of a Docker stack and written to read-only fi les in the container they are attached to. • Can only be be modi fi ed by the stack when a new container is created.
  • 48.
    @danaluther Docker Secrets What arethey and how do they help us? • Does help to solve the issue of fi le based credentials. • Does help to solve the issue of class based or variable credential strings. • Created as elements of a Docker stack and written to read-only fi les in the container they are attached to. • Can only be be modi fi ed by the stack when a new container is created. • Cannot be exposed through inspection via the stack or parent machine. Only visible in the container where it has been mounted.
  • 49.
    @danaluther What is Docker? (Jumpedahead there didn’t I…) https://www.docker.com
  • 50.
    @danaluther What is Docker? DockerHierarchy https://hub.docker.com
  • 51.
    @danaluther What is Docker? DockerHierarchy Image Container Service Stack https://hub.docker.com
  • 52.
    @danaluther Basic Stack forPHP Apache on :8080 docker-compose.yml https://docs.docker.com/compose/compose- fi le/ version: “3.7" services: php: image: php:7.4-apache ports: - 8080 : 80 volumes: - ./src:/var/ w w w /html
  • 53.
    @danaluther version: “3.7" services: php: image: php:7.4-apache ports: -8080 : 80 volumes: - ./src:/var/ w w w /html command:[ ‘bash’, ‘ - c’, ‘docker - php - ext - install - j$$(nproc) mysqli pdo_mysql & & apache2-foreground’ ] db: image: mysql environment: - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_pwd secrets: - db_pwd secrets: db_pwd: file: ./root_db_password.txt
  • 54.
    @danaluther version: “3.7" services: php: image: php:8.0-apache ports: -8080 : 80 volumes: - ./src:/var/ w w w /html command:[ ‘bash’, ‘ - c’, ‘docker - php - ext - install - j$$(nproc) mysqli pdo_mysql & & apache2-foreground’ ] db: image: mysql environment: - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_pwd secrets: - db_pwd secrets: db_pwd: file: ./root_db_password.txt
  • 55.
    @danaluther version: “3.7" services: php: image: php:8.1-rc—apache ports: -8080 : 80 volumes: - ./src:/var/ w w w /html command:[ ‘bash’, ‘ - c’, ‘docker - php - ext - install - j$$(nproc) mysqli pdo_mysql & & apache2-foreground’ ] db: image: mysql environment: - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_pwd secrets: - db_pwd secrets: db_pwd: file: ./root_db_password.txt
  • 56.
    @danaluther Deploy the Stackon a Swarm (Group of machines … or just one machine) > docker stack deploy - c docker - compose-8.yml test > docker swarm init
  • 57.
  • 58.
  • 59.
    @danaluther No swarm? Noproblem… > docker - compose up (Well, mostly no problem. No services list, secrets list, etc)
  • 60.
    @danaluther No swarm? Noproblem… > docker - compose up (Well, mostly no problem. No services list, secrets list, etc)
  • 61.
  • 62.
    @danaluther Creating a DockerSecret The secret is in the stack… … db: image: mysql environment: - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_pwd secrets: - db_pwd secrets: db_pwd: file: ./root_db_password.txt
  • 63.
    @danaluther Creating a DockerSecret The secret is in the stack… … db: image: mysql environment: - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_pwd secrets: - db_pwd secrets: db_pwd: file: ./root_db_password.txt
  • 64.
  • 65.
  • 66.
    @danaluther Inspect the containerfor the secret docker container inspect
  • 67.
    @danaluther Inspect the containerfor the secret docker container inspect > docker container inspect $(docker ps - lq - f name=test_db) > docker container inspect ff8dc39f919f > docker container inspect test_db.1.l8enz0qx7x8zci4156gh7i0qy
  • 68.
    @danaluther Inspect the containerfor the secret docker container inspect > docker container inspect kiskis_db_1 > docker container inspect 378020331e87 > docker container inspect $(docker ps - lq - f name=test_db) > docker container inspect ff8dc39f919f > docker container inspect test_db.1.l8enz0qx7x8zci4156gh7i0qy
  • 69.
    @danaluther Inspect the containerfor the secret docker container inspect
  • 70.
    @danaluther Inspect the containerfor the secret docker container inspect
  • 71.
    @danaluther Inspect the containerfor the secret docker container inspect
  • 72.
  • 73.
  • 74.
    @danaluther Can the containerchange the secret? Nope!!
  • 75.
    @danaluther Can *I* changethe secret? Yes, yes I can.
  • 76.
    @danaluther Can *I* changethe secret? Yes, yes I can. If I used docker stack deploy.
  • 77.
    @danaluther Updating a DockerSecret (Ok, you can’t actually update it, you have to replace it.) > docker secret create db_pwd.2 updatedcontent.txt
  • 78.
    @danaluther Updating a DockerSecret (Ok, you can’t actually update it, you have to replace it.) > docker service update - - secret - rm test_db_pwd - - secret - add src=db_pwd.2,target=db_pwd test_db
  • 79.
    @danaluther Confirm the update Updatingthe service launched a new container with a new secret. New: Original:
  • 80.
    @danaluther Great, but Idon’t care about the database… Right - lets put the secret to use in our DI container
  • 81.
    @danaluther Great, but Idon’t care about the database… Right - lets put the secret to use in our DI container
  • 82.
    @danaluther Sample API Objectv3 with $_ENV via DI Constructor moved to DI Container require 'vendor/autoload.php'; use YiisoftDiContainer; $container = new Container([ ExampleSampleObjectConstructed : : class = > [ 'class' = > ExampleSampleObjectConstructed : : class, '__construct()' = > [$_ENV['MY_SECRET_KEY']] ], ]); $container - > get(ExampleSampleObjectConstructed : : class)
  • 83.
    @danaluther Sample API Objectv3 with $_ENV via DI Constructor moved to DI Container require 'vendor/autoload.php'; use YiisoftDiContainer; $container = new Container([ ExampleSampleObjectConstructed : : class = > [ 'class' = > ExampleSampleObjectConstructed : : class, '__construct()' = > [$_ENV['MY_SECRET_KEY']] ], ]); $container - > get(ExampleSampleObjectConstructed : : class)
  • 84.
    @danaluther PHP stack withsecrets version: "3.7" services: php: image: php:8.1-rc - apache ports: - 8081 : 80 volumes: - ./src:/var/ w w w /html environment: - MY_SECRET_KEY=SomeKeyValue secrets: - hiddenkey - hiddenkey2 secrets: hiddenkey: file: ./secrets/secret - key - val.txt hiddenkey2 : file: ./secrets/secret - key - val2.txt
  • 85.
    @danaluther Deploy the Stackon a Swarm (Don’t need to init, just re-deploy for updates) > docker stack deploy - c docker - compose-8-1-nodb.yml test
  • 86.
    @danaluther Sample API Objectv3 with secret via DI Container populated from secret require 'vendor/autoload.php'; use YiisoftDiContainer; $container = new Container([ ExampleSampleObjectConstructed : : class = > [ 'class' = > ExampleSampleObjectConstructed : : class, '__construct()' = > [file_get_contents('/run/secrets/hiddenkey')] ], ]);
  • 87.
    @danaluther Sample API Objectv3 with secret via DI Container populated from secret require 'vendor/autoload.php'; use YiisoftDiContainer; $container = new Container([ ExampleSampleObjectConstructed : : class = > [ 'class' = > ExampleSampleObjectConstructed : : class, '__construct()' = > [file_get_contents('/run/secrets/hiddenkey')] ], ]); $container - > get(ExampleSampleObjectConstructed : : class)
  • 88.
    @danaluther Define multiple objectsin the container Multiple classes, multiple con fi gurations of one class $container = new Container([ ExampleSampleObjectConstructed : : class = > [ 'class' = > ExampleSampleObjectConstructed : : class, '__construct()' = > [file_get_contents('/run/secrets/hiddenkey')] ], ExamplePartnerConfigIdentifier : : OPT_CONFIG_1 = > [ 'class' = > ExampleSampleObjectConstructed : : class, '__construct()' = > [file_get_contents('/run/secrets/hiddenkey2')] ], ExamplePartnerConfigIdentifier : : OPT_CONFIG_2 = > [ 'class' = > ExampleSampleObjectConstructed : : class, '__construct()' = > ['You can read me in the source repo.'] ], ]);
  • 89.
    @danaluther Using constants tokeep things tidy (Yes, it wants to be an enum, but we’re 7.4 compatible currently) class PartnerConfigIdentifier { public const DEFAULT_CONFIG = self : : class.':default'; public const OPT_CONFIG_1 = self : : class.':opt1'; public const OPT_CONFIG_2 = self : : class.':opt2'; public const OPT_CONFIG_3 = self : : class.':opt3'; }
  • 90.
    @danaluther Using constants tokeep things tidy (Yes, it wants to be an enum, but we’re 7.4 compatible currently) class PartnerConfigIdentifier { public const DEFAULT_CONFIG = self : : class.':default'; public const OPT_CONFIG_1 = self : : class.':opt1'; public const OPT_CONFIG_2 = self : : class.':opt2'; public const OPT_CONFIG_3 = self : : class.':opt3'; }
  • 91.
    @danaluther Create multiple objectsvia the container $container - > get(ExampleSampleObjectConstructed : : class); $container - > get(ExamplePartnerConfigIdentifier : : OPT_CONFIG_1); $container - > get(ExamplePartnerConfigIdentifier : : OPT_CONFIG_2);
  • 92.
    @danaluther Questions?? Ask now ortweet at me if you think of it later! https://www.linkedin.com/in/danaluther dluther@envisageinternational.com https://joind.in/talk/78c5b 🤔 ? ? ? ? https://github.com/DanaLuther/kiskis