Posts

Showing posts from June, 2019

Strings from a Security Perspective

There are times when you have to store secrets in your application. You wish to do it securely, but how exactly would you do that? It is more problematic than you think, and if you don't design your application around certain concepts, you will end up with a security nightmare that is nearly impossible to solve. Let's take a look at an example. Here we are using the popular S3 client from Amazon's official AWS SDK for .NET: AWSCredentials cred = new BasicAWSCredentials( "keyId" , "secretAccessKey" ); using (AmazonS3Client client = new AmazonS3Client(cred)) {     //do something with client } The problem here is that you are forced to enter the secret access key as a string, and strings are not designed around security best practices. In .NET, strings are garbage collected, in contrast to integers, DateTime and other data types, which are not garbage collected. It is not the only problem with strings, but let's take one issue at the t...