• percent@infosec.pub
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 day ago

    not creds that give access to the production system

    …Isn’t that what we’re talking about though? Or did I misunderstand the OP?

    Regardless, I’ll just clarify anyway: Developers should not have a plaintext .env that can be used to drop (or risk in any other way) production data.

    A practice like that is only as strong as the “weakest” member of the team – “Weakest” could mean the person who is the least careful, or least experienced, or least secure work computer/practices, etc. Scale up to 1,000+ engineers and the chances of disaster (data loss, leaks, etc.) greatly increase. That’s just the human factor. Add LLMs into the mix and it’s almost guaranteed.