Security experts, I have a question: if a database server just allow connections from a white list (trusted IP's), exposing database passwords on a GIT repository is still a problem?
In any case where having passwords is relevant to security rather than just a hindrance to usability, exposing passwords is a security problem. If exposing a password isn't a security problem, you shouldn't require a password in the first place.
> "Defense in depth" is a commonly accepted security principle
Indeed.
> that suggests otherwise:
Except that it does no such thing. If you have passwords for defense in depth, they both exist for security reasons and it is a security problem to expose them (because you've just eliminated part of your depth.)
Defense in depth means that the problems of any one layer being violated are mitigated by additional layers of security, it doesn't mean it suddenly ceases to be a security problem if one of your measures is compromised. It just reduces the likely immediate severity of such a compromise, providing a greater chance of being able to effectively address it before it leads to an actual breach.
It's not clear from your question if this hopefully hypothetical database server is exposed to the internet or if it's on a private network, but:
Yes, it's still a problem, because then you have to depend on the whitelist staying valid and never having an admin accidentally turn it off. And you also have to depend on none of the machines on the trusted IPs being compromised either. And you have to depend on many other things not happening as well.
Instead, you want what is called defense in depth--several layers of security so that an attacker needs to breach several defensive layers in order to get access to what they're looking for. Relying on just an IP whitelist as a single layer of defense is not considered to be a good practice.
[I not saying I am an expert] It is always a problem to expose passwords. Sure they can't use it from the outside, but what's the point of even having the password if its public? The password is to prevent unauthorized access. If they are able to get to a box, and pivots, that password becomes useful to the attacker.
Definitely a good idea to whitelist ips, and, I'm certainly no security expert, but I still would avoid putting any type of credentials in a repository. Someone could have an ip reset, use a VPN tunnel, or any number of scenarios. I think it is better practice to use environment variables or something similar. Correct me if I'm wrong for those of you who are in security.
