AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Hardcoded Password in Configuration

Hardcoded passwords are prohibited by various security standards

Severity

Medium

Fix Cost

Medium

Trust Level

Low

It may seem a good idea to keep a password in the configuration file, as long as it’s not in the code.

Because this method of storing seems to be very convenient, simple and secure. However, there are a substantial amount of standards (such as PCI-DSS, HIPAA, SOX etc.) that have put rules against this style of coding. Moreover, it’s in fact hard to maintain a password this way since the password might change or locked, as such needs maintenance.

Additionally, if a hacker somehow successfully gathers a piece of the code, he will eventually get the hardcoded password. GitHub is one example of medium where a lot of software projects have hardcoded passwords stored in the configuration.

Although keeping any type of credentials in a configuration file is more secure than keeping them in the code, there are still a large room of improvement when storing credentials in a secure way is the focus.

 
<configuration>
<appSettings>
<add key="password" value="mPas$$W00rd" />
<add key="secret" value="" />
</appSettings>      

		

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!