Securing secret stuff from source control nosy parkers in general

Hi,

My information governance manager and DBAs are going to want to insist that any DB passwords are encrypted and hidden away. I’m struggling to find any reference to such tools in the documentation, but have found a useful reference in Stack Overflow (https://stackoverflow.com/questions/42077532/django-security-and-settings).

However I have found this package https://pypi.org/project/django-safe-settings/ which looks perfect. But has anyone used it?

Or should we invest in a product like SecretHub?

My first suggestion in this situation is to find out how they handle this across the company. I would be extremely surprised to find a situation where your Django app is the only automated process requiring authentication to a secured resource. You might need to dig deep to find other examples - and talking with those making the request may help reveal them.

What you want to do is identify what those other departments / functional areas are doing, and see if you can piggy-back on their efforts. That tends to be the easiest way to satisfy a compliance department.

I work for the National Health Service in the UK, so you’d think there would be plenty to work with…but I’ve spent the last month trying to find someone, anyone, doing the kind of work we’re doing (bespoke web apps). In those terms I appear to have a host of people hoping to follow in our footsteps, not the other way round. Our bioninformatics people for all their Django experience have only ever used Postgre and SQLite without any security - thankfully with nothing sensitive involved. Our IT people (I work outside our IT department) are 100% MS for the few bespoke apps they are allowed to write (the NHS is peculiarly wedded to buying systems). My colleagues in my team are faffing about with MS Access, like fleas clinging to the Aegis, waiting for me to deliver the goods on a plate for them, like everyone else.

This question is a slow burner. It’s going to be a month or two before I get to building anything that’s actually going to be deployed.

One of the keys toward finding the “common pattern” is that this issue is not exclusive to Django - or to any web application.

The root issue, common across many areas, is that you want to provide authentication to protected resources from automated processes. Whether it’s something like “daily account reconciliation” or “monthly report generation” or whatever, there are likely going to be programs that are running without human intervention that need access to data. (And that’s access to data, not just to databases. Periodic processing of text files, CSVs, etc, aren’t immune to these needs.)

This also holds true for purchased systems! It doesn’t matter where the systems were written, or by whom, the principle remains the same.

Start asking questions from that perspective, and you might uncover some things that had been swept under the rug.