Which practice is recommended for handling sensitive data in code (for example, credentials)?

Prepare for the Code Standards and Practices Level 1 Test. Test yourself with multiple choice questions, flashcards, and explanations. Ensure success with our comprehensive study materials!

Multiple Choice

Which practice is recommended for handling sensitive data in code (for example, credentials)?

Explanation:
Handling sensitive data in code hinges on keeping secrets out of the codebase and controlling how they’re accessed. The best practice is to avoid hard-coding credentials or storing them in plain text within source files. Instead, use a secure storage or secret management system (a vault or cloud secret service) and retrieve the credentials at runtime. This approach reduces the risk of exposure if the code is shared, checked into version control, or included in backups. Why this approach works: hard-coding credentials ties them directly to the code, meaning anyone with access to the repository or its history can see them. Storing secrets in plain text in source files similarly exposes them through the file system and version control. Logging credentials is dangerous because logs can be read by operators, stored, and searched, potentially exposing secrets. By keeping secrets in a dedicated secure store and minimizing where they appear (and by redacting or avoiding logging them), you significantly lower the chance of leakage. Practical tips: use secret managers or vaults (for example, AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, or Google Secret Manager), fetch secrets at startup or on demand, rotate credentials regularly, enforce least privilege, and avoid printing sensitive values in error messages. In development, use placeholder values and automate the retrieval process in a way that mirrors production. Overall, securing secrets means separating them from the code, using trusted storage, and restricting where and how they can be exposed.

Handling sensitive data in code hinges on keeping secrets out of the codebase and controlling how they’re accessed. The best practice is to avoid hard-coding credentials or storing them in plain text within source files. Instead, use a secure storage or secret management system (a vault or cloud secret service) and retrieve the credentials at runtime. This approach reduces the risk of exposure if the code is shared, checked into version control, or included in backups.

Why this approach works: hard-coding credentials ties them directly to the code, meaning anyone with access to the repository or its history can see them. Storing secrets in plain text in source files similarly exposes them through the file system and version control. Logging credentials is dangerous because logs can be read by operators, stored, and searched, potentially exposing secrets. By keeping secrets in a dedicated secure store and minimizing where they appear (and by redacting or avoiding logging them), you significantly lower the chance of leakage.

Practical tips: use secret managers or vaults (for example, AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, or Google Secret Manager), fetch secrets at startup or on demand, rotate credentials regularly, enforce least privilege, and avoid printing sensitive values in error messages. In development, use placeholder values and automate the retrieval process in a way that mirrors production.

Overall, securing secrets means separating them from the code, using trusted storage, and restricting where and how they can be exposed.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy