Domain 3 of 4 · Chapter 6 of 6

Secure Coding Practices

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Designing, Deploying and Managing Network Automation Systems premium course — no separate purchase.

14-day money-back guarantee — no questions asked.

Included in this chapter:

  • The three trust boundaries in automation code
  • Validating and sanitizing input
  • Authenticating with OAuth2 bearer tokens
  • Verifying TLS and fixing certificate errors
  • Handling secrets: managers, vaults, and env vars
  • Exam-pattern recognition

Where a secret can live

PropertyHardcoded in sourceEnvironment variableAnsible VaultSecrets manager (Vault)
Kept out of git historyNoYesCiphertext onlyYes
Protected at restNoNoYes (symmetric)Yes
Audited and rotatedNoNoNoYes
Short-lived dynamic credsNoNoNoYes
Read at runtime, off diskNoIn process envDecrypted in memoryYes

Decision tree

Is the value a secret?password, key, tokenPlain config in GitNeed audit, rotation,or dynamic creds?Secrets manager (Vault)Must it live in a repo file?Ansible Vaultencrypt at restEnvironment variableruntime, unauditedNever hardcode or commit a secret; base64 is encoding, not encryptiona decryption key stored beside its ciphertext protects nothingNoYesYesNoYesNo

Cheat sheet

  • Validate with allow-lists
  • Never concatenate untrusted input
  • Validate payloads against a schema
  • Avoid eval/exec/shell with input
  • Prefer scoped short-lived tokens
  • OAuth2 client-credentials flow
  • Refresh tokens on expiry
  • Send credentials only over verified TLS
  • Disabling TLS verification (verify=False) is an anti-pattern
  • Correct remediation for CERTIFICATE_VERIFY_FAILED
  • Never hardcode or commit secrets
  • Fetch secrets from a secrets manager
  • Environment variables and their limits
  • Ansible Vault encrypts at rest
  • Base64 is not encryption

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. OWASP Top 10 A03:2021 Injection Whitepaper
  2. OWASP Input Validation Cheat Sheet (allow-list over deny-list) Whitepaper
  3. RFC 7950: The YANG 1.1 Data Modeling Language Whitepaper
  4. RFC 8040: RESTCONF Protocol Whitepaper
  5. Python subprocess: Security Considerations (shell=True vs shell=False)
  6. Python os.system (hands the whole string to the shell)
  7. RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage Whitepaper
  8. Requests: Authentication (HTTP Basic auth)
  9. RFC 6749: The OAuth 2.0 Authorization Framework (sec 4.4 Client Credentials Grant) Whitepaper
  10. Cisco Catalyst Center Authentication API (X-Auth-Token, 60-minute lifetime, 401 on expiry)
  11. Requests: SSL certificate verification (verify, REQUESTS_CA_BUNDLE)
  12. ncclient Manager (hostkey_verify)
  13. Python ssl module (default hostname checking)
  14. Git: Rewriting History (a committed blob persists in history)
  15. GitLab secret detection
  16. HashiCorp Vault: Secrets engines (dynamic, short-lived credentials)
  17. Ansible Vault (encrypt at rest with a symmetric vault password)
  18. Python base64 module (reversible encoding, not encryption)