𝗛𝗶𝗱𝗶𝗻𝗴 𝗶𝘀 𝗡𝗼𝘁 𝘁𝗵𝗲 𝗦𝗮𝗺𝗲 𝗮𝘀 𝗦𝗲𝗰𝘂𝗿𝗶𝗻𝗴

A non-engineer executive recently built a B2B SaaS in two days. They used AI to write everything. The product works. Customers use it. Features ship fast.

Then I inherited the infrastructure. My job is to find the risks in code that already runs in production.

I found a massive security flaw. The API key was hardcoded directly in the source code.

I told the executive this was dangerous. They fixed it immediately.

The key was gone from the code, but now it was in the README file as a setup step. The secret moved from the code to the documentation. It was still inside the repository. It was actually easier to find now.

I explained the problem again. This time, they moved the key to the database.

That felt like progress. The key was out of the repository. But when I checked the database, the key sat there in plaintext. There was no encryption. Anyone with database access could read it.

The key moved three times:

The location changed, but the security did not improve. They were hiding the secret, not concealing it.

Hiding means putting something out of sight. Concealing means making it useless to an attacker.

In software, you must follow these rules:

This happened even though the executive used the most advanced AI models available.

AI is built to give you code that runs. It will happily write code that contains a plaintext secret if you do not tell it otherwise. The AI provides capability, but it does not automatically provide safety.

Intelligence only becomes safety when you know what to protect.

If you think you fixed a security hole just because you moved it, stop. Ask yourself:

A secret belongs in the right place, not just an invisible place.

Source: https://dev.to/jun_uen0/playing-hide-and-seek-with-an-api-key-our-cfos-claude-code-kept-hiding-job

Optional learning community: https://t.me/GyaanSetuAi