No big deal, Rogers, your internal source code and keys are only on the open web. Don't hurry to take it down Source code, internal user names and passwords, and private keys, for the website and online account systems of Canadian telecoms giant Rogers have been found sitting on the open internet. The leaked software, seemingly uploaded to GitHub by a Rogers engineer before they left the telco, is written in Java and powered various …
I REALLY don't understand that attitude from Rogers (not denying it's true)...
For Joe Random Company, IT can be seen as an expense... But for rogers it's their damn business ... they SUPPLY INTERNET.. lol
The sports thing I've never understood, I don't do sportsball and have never understood why my bank, phone company and former ISP are proud to be associated with sportsball.
""Having now seen Rogers’ standard of code, I have to point out that they should have set up server environment variables on the host machines, and then pulled any credentials and keys at run time," said Coulls. "
No they shouldn't, they should store / generate passwords in a password vault, keeping them away from any server and code until its needed for runtime and having it generate a new one at every start and interval.
There are a number of ways to do it. It mostly depends on how large of a farm, the topology/architecture, and the technologies involved. Centrify or Hashicorp's Vault are two examples that I can vouch for that work well in different environments. Considerations for on-prem only, on-prem/cloud hybrid, container based farms, etc all will change the "best answer" but the answer is definitely out there.
A co-worker just mentioned cyberark when I asked him, so there's a third possible for you.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
