All geek questions in one place

How to solve password management - password in configuration

Hi, I am using HP to find all the vulnerabilities of my application, and now I am trying to solve the one that seems to be the main one, but I can not do it.

The problem is setting the password. I have a web application and inside it in the properties file something like this.

somePassword=passwordPlainText

I agree that this is wrong, then I try to confuse several methods using http://www.jasypt.org/encrypting-configuration.html , OBS, CRYPT and ENC. But I always get the same warning from reinforcement when I look through my code. Am I doing something wrong?

thanks

+5
source share
1 answer

You may find the following answer helpful. I assume it might be the database password, but the same concepts apply to access other types of accounts.

https://security.stackexchange.com/questions/22817/how-to-encrypt-database-connection-credentials-on-a-web-server

The basic principle is that you want to avoid accidental leakage of credentials and, thus, put them in a place outside the code (where all developers see it) and in the configuration file, which is outside the main root of the code, and carefully controlled access. Ideally, you can avoid passwords altogether by properly setting up access to the database according to the user's permissions.

Note. Fortify finds the password problem mainly grepping for the "password" (and some options). Therefore, in other cases, this is false positive if you simply have a variable named “password” or a comment that mentions “password” but is not hard-coded to password into a file.

0
source

Source: https://habr.com/ru/post/1246135/

More articles:


All Articles