Integrations and Security, or Why Writting Integrations Makes one less Dogmatic
In my company, the security team is now checking the logs to see, if we are logging any credentials. Comes with the past as the startup, as we still have some very interesting decisions baked in the code.
So our team recently got a report, that they have found a new case of logging credentials. The reason why it happened is, that we are logging all the calls that we are making, and in some cases, the credentials are to be provided as the parameters to the URL.
Which, I will agree, it not the most secure way of having authentications.
Somebody else in my team took a note of them not being aware that there could be a credentials in the query parameters and that we will deal with this.
That somebody showed does not have as much experience in connecting with APIs, since it is not that infrequent case. But it also shows the pragmatism that some code is just bullshit and if we want to use it, we should just accept this.
But what we got in back from the security team was, that we should be be careful to never send the parameters in the requests, since this is not a secure. And how they had this case and prevented the use of query parameters in one of our services that we use and develop in our company. That there should never be a need to use credentials in the query parameters. It is just that insecure.
But we write integrations with 3th party services. We can't just walk to somebody in the office or jump on the Slack conversation or Zoom call, and tell them that they are idiots for their decisions. Usually done in a more polite way, but still.
So I like the reply that this teammate gave back. I am quoting below my favorite part:
But we saw multiple times that a lot of services out there don't follow most basic rules. So in this particular case there is not much we can do.
Code is written by people and one can not except all people to think the same. Or produce the same result. We are not a 6 sigma manufacturing company.
I can even see this in the way different teams are structured in our company. Our team is generally dealing with most smaller 3th party integrations, but we have 100s of them. And one thing that you quickly lose when you deal with the 3th party integrations is any kind of notions, how the code should be done.
The integration wants to use the credentials as the parameters? Well sure. They say they want to use the OAuth, but they want each person to create their own client id and client secret and use the client credentials flow to get their data? Sure. Do they want to to do some sort of byte magic vodo on credentials in order to authenticate? I hope they provide the working examples, because otherwise I am not sure what kind of black magic do they want me to do. Do they want to us guess at what when wrong, since on client error they return HTTP code 200 (OK) with no error messages? I mean, I will curse them, but then implement my own checks and move on.
You could say that our team is the one that is most startup in the energy in our office.
We still manage to have a very consistently looking code, simply because we mostly copy each other.
In the teams, that do not deal with that many third party integration, I can see a lot more rigid process of dealing with this. They have all these rules, and I had a working pull requests rejected, because I did not understand these rules.
I mean, I can sort of understand them. They do have an option to simply walk to another table and complain about the design decision of that person. If one does not want to look at the code that disturbs them, this is the easiest solution.
But I also saw that this leads to the constant discussions of how things should be done. Instead of, you know, actually working on the things in question.
Maybe this is why some people don't understand how could a team of a couple of people maintain all the integrations we have?
Does this lead to some non-optimal code in our case? 100% sure it does. But at least we will never get in the debate about which linter rules to use - we use the ones provided by default. Or any other similar stuff.