Security Concern: Sensitive Data Exposure in Config Files

Background

Our compliance team has identified a critical security vulnerability in our application. Credentials and other sensitive information are currently stored in plain text within our source code, specifically in the config.py file. This practice poses significant risks to our operations and violates OWASP security best practices.

Risks

Data Breach: Unauthorized access to our systems if source code is compromised.
Compliance Violations: Potential non-compliance with data protection regulations (e.g., GDPR, CCPA).
Insider Threats: Increased risk from internal bad actors with access to source code.
Reputational Damage: Loss of customer trust if a breach occurs due to this vulnerability.

Requirements

Remove all sensitive information (credentials, API keys, etc.) from config.py and any other source code files.
Implement a secure method for storing and accessing sensitive information, following OWASP best practices.
Update documentation to reflect new secure practices for handling sensitive data.
Conduct a thorough review of all code repositories to ensure no other instances of exposed sensitive data.

Acceptance Criteria

No sensitive information visible in any code files when reviewing the repository.
A secure method implemented for accessing necessary credentials in the application.
Updated developer guidelines for handling sensitive information.
Successful deployment of changes without breaking existing functionality.
Passed security audit confirming the removal of all hardcoded sensitive data.

Priority

High - This issue poses an immediate security risk and should be addressed as soon as possible.

Additional Notes

Please consult with the security team for recommended best practices on securely storing and accessing sensitive information. Consider using environment variables, secure vaults, or other approved methods.

ScotterMonk / scottswain

Issue 05-Fix our secrets in code #7