Use of Hard-coded Password
ID |
scala.password.scala_password_rule_constantdbpassword |
Severity |
high |
Resource |
Password |
Language |
Scala |
Description
A potential hard-coded password was identified in a database connection string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).
The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.
The recommendation on which KMS to use depends on the environment the application is running in:
-
For Google Cloud Platform consider [Cloud Key Management](https://cloud.google.com/kms/docs)
-
For Amazon Web Services consider [AWS Key Management](https://aws.amazon.com/kms/)
-
For on premise or other alternatives to cloud providers, consider [Hashicorp’s Vault](https://www.vaultproject.io/)
-
For other cloud providers, please see their documentation
Rationale
A potential hard-coded password was identified in a database connection string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).
The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.
The recommendation on which KMS to use depends on the environment the application is running in:
-
For Google Cloud Platform consider [Cloud Key Management](https://cloud.google.com/kms/docs)
-
For Amazon Web Services consider [AWS Key Management](https://aws.amazon.com/kms/)
-
For on premise or other alternatives to cloud providers, consider [Hashicorp’s Vault](https://www.vaultproject.io/)
-
For other cloud providers, please see their documentation
Remediation
Follow secure coding practices and review the references below for detailed remediation guidance.
References
-
OWASP Top 10 2021 - A07 : Identification and Authentication Failures.