diff --git a/rules/S6697/secrets/rule.adoc b/rules/S6697/secrets/rule.adoc index 6b5edd8a69..7bf2e98044 100644 --- a/rules/S6697/secrets/rule.adoc +++ b/rules/S6697/secrets/rule.adoc @@ -38,6 +38,8 @@ They can be used to audit malicious use of password-leak-affected accounts. include::../../../shared_content/secrets/fix/vault.adoc[] +include::../../../shared_content/secrets/fix/default.adoc[] + === Code examples ==== Noncompliant code example diff --git a/rules/S6698/secrets/rule.adoc b/rules/S6698/secrets/rule.adoc index 50ad618e96..16f76954b1 100644 --- a/rules/S6698/secrets/rule.adoc +++ b/rules/S6698/secrets/rule.adoc @@ -39,6 +39,8 @@ for this to happen. include::../../../shared_content/secrets/fix/vault.adoc[] +include::../../../shared_content/secrets/fix/default.adoc[] + === Code examples ==== Noncompliant code example @@ -74,4 +76,4 @@ include::../../../shared_content/secrets/resources/standards.adoc[] * PostgreSQL Documentation - https://www.postgresql.org/docs/15/client-authentication.html[Client Authentication] * PostgreSQL Documentation - https://www.postgresql.org/docs/current/runtime-config-logging.html[Error Reporting and Logging] -//=== Benchmarks \ No newline at end of file +//=== Benchmarks diff --git a/rules/S6703/secrets/rule.adoc b/rules/S6703/secrets/rule.adoc index 2c34e32385..71acf120cd 100644 --- a/rules/S6703/secrets/rule.adoc +++ b/rules/S6703/secrets/rule.adoc @@ -33,6 +33,8 @@ include::../../../shared_content/secrets/fix/revoke.adoc[] include::../../../shared_content/secrets/fix/vault.adoc[] +include::../../../shared_content/secrets/fix/default.adoc[] + === Code examples ==== Noncompliant code example @@ -62,4 +64,4 @@ public static string ConnectionString = String.format( include::../../../shared_content/secrets/resources/standards.adoc[] -//=== Benchmarks \ No newline at end of file +//=== Benchmarks diff --git a/shared_content/secrets/fix/default.adoc b/shared_content/secrets/fix/default.adoc new file mode 100644 index 0000000000..0f9766aaea --- /dev/null +++ b/shared_content/secrets/fix/default.adoc @@ -0,0 +1,16 @@ +**Never hard-code secrets, not even the default values** + +It is important that you do not hard-code secrets, even default values. + +First, hard-coded default secrets are often short and can be easily compromised +even by attackers who do not have access to the code base. + +Second, hard-coded default secrets can cause problems if they need to be +changed or replaced. + +And most importantly, there is always the possibility to accidentally set +default secrets for production services, which can lead to security +vulnerabilities and make production insecure by default. + +To minimize these risks, it is recommended to apply the above strategies, even +for the default settings.