Hard-coded password in database connection string
Description
A potential hard-coded password was identified in a database connection string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS). The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.
Examples
Insecure Code
java
java.sql.DriverManager.getConnection("jdbc:mysql://localhost:3306/mydb", "myuser", "mypassword");Secure Code
java
java.sql.DriverManager.getConnection("jdbc:mysql://localhost:3306/mydb", "myuser", System.getenv("DB_PASSWORD"));Remediation
Load passwords from a secure location such as a Key Management System (KMS) like Cloud Key Management, AWS Key Management, or Hashicorp's Vault.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0714 |
| Category | Secrets |
| Severity | CRITICAL |
| CWE | CWE-259 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | password, hardcoded, KMS |
| OWASP | A2:2017-Broken Authentication, A07:2021-Identification and Authentication Failures |