I have noticed that when I made an account for the company I work at to publish a plugin to the repository that the generated api key and secret cannot be revoked/renewed/deleted.
To clarify: I do not expect this data to be “stolen” but there is no stopping an employee with access to the account (we have 2 at the moment, like myself) to store these on my personal cloud. In the event that m - or any developer with access - contract would be terminated, this person could have malicious intent and still publish. And we have no way to revoke them.
How would we handle a situation like this.
At our company we are certified for AVG/GDPR and have this position in multiple layers of the AVG/GDPR implementation.
To that extent, we as a company consider these kinds of security threats as something we definitely should consider and look at even if they are not explicitly mentioned inside the AVG/GDPR.
In our case we have one published plugin that we use for a specific use case in our projects, so in the worst case scenario we could still delete the plugin and just publish to our local nexus.
Patrick van Zadel