Exactly. Pragmatism has a place in this world. Not everywhere, not everywhen, but more than you might think.
Most of the people in my area don’t lock their doors. A decade ago in a very different neighborhood we had locks, alarm systems, and hyper-vigilance, and still lost thousands via property theft and damage. 5 miles away.
It would be maladaptive of me to bring the same level of vigilance to a different setting. It wastes resources and clouds one’s ability to trust. It slows you down every day.
I don’t know how I could have been more clear that I don’t endorse committing secrets to code, in fact I’ve been a champion for code hygiene and security everywhere I work. I just recognize and think others should as well that there are diminishing returns for precautions where they aren’t used. The returns can diminish so low that they go negative.
Even in the safe neighborhood, one might lock up when they leave for a trip, or make other reasonable preparations to increase security and obscurity.
Yes, I said everywhen, and yes I am asserting that I just coined it and that it’s brimming with greatness :P
Are you also doing with secret (not anymore) data in public repositories on GitHub? Note context of your comment, in thread about secret scanning for public repositories on GitHub.
I do most of my work on private codebases so I went that direction. I had intended to add a qualifier for that but I missed my window to edit.
Agreed there are many ways that working with public repos makes everything dramatically more difficult. I’m pleased to see GHAS secret scanning become free. I’m not clear if that would include the pre-push secret scanning feature. If so you have a really decent toolset for prevention and detection. Remediation should be as easy as key rotation. Except keys get reused and rotation affects all users...
if the keys can’t be rotated it’s a big chore for private repos owners, but de facto impossible with public codebases. There is no way of knowing who has cloned it (without paying for enterprise audit logs).
