Use of Hard-coded Password
ID |
scala.password.scala_password_rule_emptydbpassword |
Severity |
high |
Resource |
Password |
Language |
Scala |
Description
The application does not provide authentication when communicating a database server. It is strongly recommended that the database server be configured with authentication and restrict what queries users can execute.
Please see your database server’s documentation on how to configure a password.
Additionally, passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).
The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.
The recommendation on which KMS to use depends on the environment the application is running in:
-
For Google Cloud Platform consider [Cloud Key Management](https://cloud.google.com/kms/docs)
-
For Amazon Web Services consider [AWS Key Management](https://aws.amazon.com/kms/)
-
For on premise or other alternatives to cloud providers, consider [Hashicorp’s Vault](https://www.vaultproject.io/)
-
For other cloud providers, please see their documentation
Rationale
The application does not provide authentication when communicating a database server. It is strongly recommended that the database server be configured with authentication and restrict what queries users can execute.
Please see your database server’s documentation on how to configure a password.
Additionally, passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).
The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.
The recommendation on which KMS to use depends on the environment the application is running in:
-
For Google Cloud Platform consider [Cloud Key Management](https://cloud.google.com/kms/docs)
-
For Amazon Web Services consider [AWS Key Management](https://aws.amazon.com/kms/)
-
For on premise or other alternatives to cloud providers, consider [Hashicorp’s Vault](https://www.vaultproject.io/)
-
For other cloud providers, please see their documentation
Remediation
Follow secure coding practices and review the references below for detailed remediation guidance.
References
-
OWASP Top 10 2021 - A07 : Identification and Authentication Failures.