(no title)

In our assessment we found that these APPKEYs are also included in the backup file - which makes the SnipeIT backup ZIP files a vector for exposing all users and passwords (as well as all encrypted fields data) because of a default setting by the framework's backup provider.

That said - if you are concerned about security, you will be on-prem or within your own cloud provider to begin with. The SnipeApp company offers an "enterprise" level support at a somewhat reasonable rate for big companies, and they were a great help assisting with our installation and integrating the SnipeIT API to import new devices and licenses automatically in a way that we can control from say a PO.

This password issue may not be a problem for you as I understand they now have connectors for SSO or another OAUTH provider. That and the fact that they asked us to share our backup via email during onboarding and they did not specify to keep the secrets out of the backup made our decision to go in-house. Still a good, scrappy product, and when we asked them if they had access to our company's passwords that was not disclosed, we didn't get a response. That's OK - and it was a good lesson for my team in evaluating an open source framework behind the product vis-a-vis "trust but verify."

Its always going to be a vector of our own partial design (and/or someone we are paying), a rogue backup source of truth that is ejected into the ether like atoms forming salts in an acid-base reaction.