Skip to main content

Your organisation’s web applications and platforms are more than just tools; they are the lifeblood of customer engagement, data processing, and operational efficiency. But, while the front-end may look sleek and functional, what’s happening “under the hood” can pose serious risks if left unchecked. 

You don’t need to be a developer to ask the right questions about your organisation’s technology stack. You just need to know what to look out for. 

The Invisible Risks: Secrets, Keys, and Third-Party Dependencies 

Most modern applications rely on a complex web of technologies, frameworks, and third-party services. These layers often include: 

  • Frameworks like Node.js and Laravel 
  • Cloud services and APIs 
  • Open-source libraries
  • Environment configuration files (.env) 
  • Secrets and encryption keys 

These components are often invisible to the business side, yet they are critical to security. 

💡 Quick Tech Explainer 

Node.js is a runtime environment that allows developers to run JavaScript on the server side, often used for building fast, scalable web applications and APIs. 

Laravel is a PHP framework that simplifies web development with elegant syntax and built-in tools for routing, authentication, and database management. 

Github is the world’s largest repository of software code. It is used by most software developers to store, share and collaborate on code for computer and mobile device applications. 

Real-World Example 1: Node.js Vulnerabilities 

In January 2025, Node.js released multiple security patches addressing high and medium severity issues. One vulnerability allowed attackers to bypass permission models using internal worker threads. Another flaw in the HTTP/2 protocol could lead to memory leaks and denial of service. 

If your organisation uses Node.js and hasn’t updated to the latest version, you could be exposed, even if your app appears to be working perfectly. 

Real-World Example 2: Laravel and the Danger of Leaked Secrets 

Laravel, a popular PHP framework, is vulnerable to remote code execution if its encryption key (APP_KEY) is leaked. GitGuardian recently discovered over 260,000 Laravel APP_KEYs exposed on public GitHub repositories. These keys are used to encrypt sensitive data, and if compromised, attackers can manipulate sessions, access databases, or even take control of the targeted server. 

This isn’t just a developer problem. It is a business risk. Are you giving criminals the keys to your kingdom without knowing it? 

Third-Party Code: The Hidden Supply Chain 

Your web app might be built by a trusted developer or agency, but they are likely using dozens (or hundreds) of third-party packages. These packages can: 

  • introduce vulnerabilities if not regularly patched 
  • leak secrets if misconfigured 
  • be abandoned or compromised without your knowledge 

Ask yourself: Who’s responsible for monitoring these dependencies? How frequently are these dependencies being monitored? 

Secrets Management: What You Should Know 

Secrets include: 

  • API keys 
  • Database credentials 
  • Encryption keys 
  • Cloud access tokens 

These are often stored in .env files or configuration scripts. If accidentally pushed to a public GitHub repository they can be scanned and exploited by attackers (sometimes within minutes). 

What You Can Do 

Ensure your developers or application maintainers: 

  • use private repositories and secret scanning tools 
  • rotate keys regularly and monitor for exposure 
  • use secret management platforms (e.g., HashiCorp Vault, AWS Secrets Manager) 

Questions Every Business Leader Should Ask 

You don’t need to write code — but you do need to lead with curiosity. Start with these: 

  • What frameworks and libraries does our app use? Are they up to date? 
  • How are secrets and keys stored and managed? 
  • Do we scan our codebase for exposed credentials or vulnerabilities? 
  • What’s our process for patching third-party dependencies? 
  • Are we using debug mode in production environments? (Hint: don’t) 

Developers Are Allies — Not Adversaries 

This isn’t about blaming developers. Most are doing their best in fast-paced environments. But they need support, resources, and leadership that prioritises security. It may be that any contracts you have with developers do not cover ongoing support, or only support for a fixed timeframe after going live. In some cases, you might find that they update at certain intervals throughout the year, not applying patches and security fixes until the next update cycle – which might be too late! 

Asking the right questions early on and finding the most suitable solutions can save you a lot of hassle and confusion in future. It is also important to continue asking questions about the state of your organisation’s platform and app security throughout its lifespan, even if you’re not technologically inclined. 

Creating a secure-by-default culture starts at the top. 

Final Thoughts: Security Is a Business Strategy 

Ignoring what’s “under the hood” is like driving a car without ever checking the oil. It might run fine — until it doesn’t. 

By asking the right questions and fostering a culture of proactive security, business leaders can protect their organisations from costly breaches, reputational damage, and regulatory fallout. 

Topics

  • news
  • Advisory