Sharing my code has improved my security vigilance

https://github.com/halemiles/ansible-playbooks

Don’t show your hand

I’ve always been taught to keep your secrets safe and to always ensure you never reveal them to anyone. The same applies to code, keep them out of your configurations unless you intend to show you hand to someone else. The same should be said for scripts, playbooks, and dotfiles locked away from prying eyes, right?

This is a necessary habit I think for anyone coding. Publishing my code has given me a much higher appreciation for keeping my secrets secret. So in a twist in my approach to security came when I decided to share some assets on my public github repositories. Here’s how posting my Ansible playbooks, dotfiles, and scripts transformed my mindset and helped me become more vigilant about security.

Being transparent

By posting my Ansible playbooks, dotfiles, and scripts on a public platform such as GitHub, I can put my work under the scrutiny of the open-source community. Transparency has forced me to take more accountability for the quality and security of my code. I can’t be complacent or take shortcuts that might lead to breaches. It’s risky, but it’s the right amount of pressure to help me think twice before posting.

Steep learning curve

Sharing my code meant others can review and contribute. Peer reviews only enhance the security of my projects but also accelerated my learning. I will therefore learn the quick and hard. #toughlove

Automate it

I can also cheat slightly here. Git hooks, linters and other tools can help me mitigate against submitting secret. There are many on Github Explore page or through a search engine of your choice.

Conclusion

You could say “But why post anything publicly?”. You’re right, but that means that bad habits kick in and as they say “You can’t mark your own essay”. Obviously there are still risks, I could accidentally submit a key or secret without realising. I’m trying to build a habit.

If you’re consciously thinking “What if someone comments that I’ve missed something?” then it will force you to think about other scenarios. However there is a balance with peer reviews.

At work I am constantly peer reviewed and I review other pull requests daily. If someone finds a problem with my code, I want to know about it. If I consciously think about what I’m posting, then I could reduce the chance of having an embarrassing comment against my PR.