Hacker News new | past | comments | ask | show | jobs | submit login

So, on "rotate your credentials", some of the things you'll need to do:

- Does your CI job query any system using a service account? Time to rotate that service account password. Hope it wasn't used by anything other than your CI system!

- Accessing systems using tokens instead of service accounts? Time to figure out how to invalidate those old tokens and gen a new one. (Also, time to find out if all the systems you use can do that)

- Using credentials as part of your build system, like downloading a for-pay plugin for a tool using a license key? Time to rotate those too.

- Time to rotate any license keys used at build-time.

- I hope you weren't using IAM users! If you weren't using instance profiles / task profiles, time to rotate those secret access keys. (some things you have to use IAM users for, like SES, iirc)

- Time to invalidate everything you built since they were first compromised, invalidate all your caches, and re-build all your artifacts from scratch.

- Time to see if you had any customer information / PII / PHI /etc accessible from your CI system.

- If you deploy from your CI system, it could be that every system is potentially compromised. In which case, get ready to re-deploy everything after you have flushed and re-built everything from above step.

- Start auditing, get PR to start drafting a sad letter to customers, and get someone to investigate how to reset customer passwords etc if needed.

Haha, yup. And if you sign an Android app in CI, Codecov might have had access to your signing keys. Good luck changing those.

Applications are open for YC Summer 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact