Secure Coding Practices
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing Designing, Deploying and Managing Network Automation Systems premium course — no separate purchase.
14-day money-back guarantee — no questions asked.
Included in this chapter:
- The three trust boundaries in automation code
- Validating and sanitizing input
- Authenticating with OAuth2 bearer tokens
- Verifying TLS and fixing certificate errors
- Handling secrets: managers, vaults, and env vars
- Exam-pattern recognition
Where a secret can live
| Property | Hardcoded in source | Environment variable | Ansible Vault | Secrets manager (Vault) |
|---|---|---|---|---|
| Kept out of git history | No | Yes | Ciphertext only | Yes |
| Protected at rest | No | No | Yes (symmetric) | Yes |
| Audited and rotated | No | No | No | Yes |
| Short-lived dynamic creds | No | No | No | Yes |
| Read at runtime, off disk | No | In process env | Decrypted in memory | Yes |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
References
- OWASP Top 10 A03:2021 Injection Whitepaper
- OWASP Input Validation Cheat Sheet (allow-list over deny-list) Whitepaper
- RFC 7950: The YANG 1.1 Data Modeling Language Whitepaper
- RFC 8040: RESTCONF Protocol Whitepaper
- Python subprocess: Security Considerations (shell=True vs shell=False)
- Python os.system (hands the whole string to the shell)
- RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage Whitepaper
- Requests: Authentication (HTTP Basic auth)
- RFC 6749: The OAuth 2.0 Authorization Framework (sec 4.4 Client Credentials Grant) Whitepaper
- Cisco Catalyst Center Authentication API (X-Auth-Token, 60-minute lifetime, 401 on expiry)
- Requests: SSL certificate verification (verify, REQUESTS_CA_BUNDLE)
- ncclient Manager (hostkey_verify)
- Python ssl module (default hostname checking)
- Git: Rewriting History (a committed blob persists in history)
- GitLab secret detection
- HashiCorp Vault: Secrets engines (dynamic, short-lived credentials)
- Ansible Vault (encrypt at rest with a symmetric vault password)
- Python base64 module (reversible encoding, not encryption)