From the historic city of Florence, Italy, comes a new battle; not fought with swords, but with code and software architecture. The controversy surrounds the practice of using environment variables to store secrets in applications, which has been a topic of intense discussion at PyCon Italia 2023.

Mackenzie Jackson, a developer advocate at GitGuardian, takes us through the arguments both for and against this practice, following his presentation at the conference. He references Alexander Darby from Palo Alto Networks, who presented opposing viewpoints on this issue.

Environment variables are key-value pairs that can store vital data, such as API keys and secrets, database configurations, and more. They offer flexibility, allowing applications to adapt to various environments without code modifications. However, their use for storing sensitive data has raised security concerns.

Darby highlighted how an attacker, once gaining access to a system, often dumps all environment variables, which can expose crucial data. This access makes it easier for an attacker to move into different systems and escalate their privileges. The core argument here is that while the use of environment variables makes an attacker’s job easier, this stage of attack implies that the system has already been significantly compromised.

Jackson, however, advocates for the use of environment variables. He points out how they can reduce the risk of secrets being hardcoded and leaked in source code, a significant issue that environment variables can help prevent by centralizing secret storage in a single .env file.

In conclusion, the debate remains open. From a purely security-focused perspective, the use of more secure secrets managers is ideal, supporting Darby’s viewpoint. However, Jackson makes a compelling argument for the simplicity and effectiveness of environment variables in preventing basic security mistakes. Despite the heated discussions at PyCon Italia, one thing is clear – secrets management remains a challenging issue in cybersecurity, not only in Italy or Europe but worldwide.