Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/Lee_Holmes/statuses/113886044622103693">Lee Holmes :donor: (lee_holmes@infosec.exchange)'s status on Saturday, 25-Jan-2025 09:51:16 JST</a><a href="https://infosec.exchange/@Lee_Holmes" title="lee_holmes@infosec.exchange"><img src="https://gnusocial.jp/avatar/96673-48-20250307184913.webp" width="48" height="48" alt="Lee Holmes :donor:" style="position: absolute; left: 0; top: 0;">Lee Holmes :donor:</a></section><article><p>Had an interesting situation where AI coding helped make something _more_ secure.</p><p>I was writing a tool to connect to Azure AI, which requires an auth key. Some example code had this coming from an environment variable, which is a super common practice. So I asked AI if there was a way to make this more secure.</p><p>I was using Cursor, so it recommended (and implemented) a version where it securely prompted for the string at first launch and then stored the secret via keyring (Credential Manager on Windows). </p><p>Storing in keyring is far more secure, but realistically most people wouldn't do it by hand because the environment variable approach is "good enough." But because AI made it so easy, it actually got done.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4443179#notice-8694303">In conversation</a><time datetime="2025-01-25T09:51:16+09:00" title="Saturday, 25-Jan-2025 09:51:16 JST">about 2 months ago</time> <span>from <span><a href="https://infosec.exchange/@Lee_Holmes/113886044622103693" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@Lee_Holmes/113886044622103693">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Lee Holmes :donor: (lee_holmes@infosec.exchange)'s status on Saturday, 25-Jan-2025 09:51:16 JST Lee Holmes :donor:
Had an interesting situation where AI coding helped make something _more_ secure.
I was writing a tool to connect to Azure AI, which requires an auth key. Some example code had this coming from an environment variable, which is a super common practice. So I asked AI if there was a way to make this more secure.
I was using Cursor, so it recommended (and implemented) a version where it securely prompted for the string at first launch and then stored the secret via keyring (Credential Manager on Windows).
Storing in keyring is far more secure, but realistically most people wouldn't do it by hand because the environment variable approach is "good enough." But because AI made it so easy, it actually got done.
In conversationabout 2 months ago from infosec.exchangepermalink

Public

Embed Notice

HTML Code

Corresponding Notice