I'm seeing a trend for deploying web apps to PaaS that the config is typically defined in environmental variables. e.g. Azure Functions or .net core apis
Assuming this has been done to follow good practice to ensure secrets do not end up in code / source control. And that it is actioned by a release management system so that there are different secrets per environment i.e. dev, staging, prod. Or perhaps stored in a keyvault (in the case of Azure) and then the application has permission to get the secret at runtime at first load.... i.e. the developer has good intentions.
The reasoning is all well and good, but the secrets still end up in an - easily accessible - environmental variable.
Back in the ye'olden days (a year or so ago!) of fully fledged asp.net, we would encrypt the web.config's connection strings using a machine key, so at least the physical file didn't pose a threat.
Does environmental variables assume that an attacker cannot execute code at runtime?
Or do frameworks / PasS offerings typically have other forms of protection over the environmental variables? I have a vague recollection or perhaps Heroku providing additional security measures.
I suppose for anything sensitive, it should be stored in a keyvault (or similar) easily rotated, audit logged, using defence in depth precautions etc etc, but I'm wondering is the trend of environmental variables a bad security smell or do the frameworks that promote this provide adequate protection for mildly :-) secret secrets?
