Hard-coded password
Description
A potential hard-coded password was identified in a hard-coded string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS). The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.
Examples
Insecure Code
java
new java.security.KeyStore.PasswordProtection("mysecretpassword".toCharArray())Secure Code
java
String password = System.getenv("PASSWORD"); new java.security.KeyStore.PasswordProtection(password.toCharArray())Remediation
Load passwords from a secure location such as a Key Management System (KMS) like Cloud Key Management, AWS Key Management, or Hashicorp's Vault.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0716 |
| Category | Secrets |
| Severity | CRITICAL |
| CWE | CWE-259 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | hard-coded password, key management system |
| OWASP | A2:2017-Broken Authentication, A07:2021-Identification and Authentication Failures |