Josh Graham Interviews Aaron Bedra • YOW! 2020

Use tiny types and domain modeling to enforce type safety and prevent incorrect states, especially for critical code around passwords and security

Pin exact dependency versions rather than relying on semantic versioning - not everyone follows conventions and transitive dependencies can cause conflicts

Ephemeral credentials and automated secret rotation are preferable to long-lived static passwords that humans need to know and manage

Tools like HashiCorp Vault, cloud provider secret managers, and other purpose-built secret management solutions are better than DIY approaches

In password handling code, model the domain to enforce that plain text passwords can only go one direction (to hashed) and prevent incorrect usage

Package management requires deliberate maintenance - stay up to date, scan for vulnerabilities, and have controls around license compliance

Test coverage and domain modeling help catch errors earlier in development rather than at runtime

For critical systems, consider using more formal approaches like theorem proving and type systems to enforce correctness

Local development should use the same secret management mechanisms as other environments to maintain consistency

Keep secrets out of version control and use proper tooling to detect and prevent accidental commits of sensitive data

Bootstrap secrets require special consideration since they’re needed to access the secrets management system itself

Domain modeling helps enforce business rules and constraints at the type level rather than through runtime checks