33 lines
1.6 KiB
Plaintext
33 lines
1.6 KiB
Plaintext
A hard-coded secret has been found in your code. You should quickly list where
|
|
this secret is used, revoke it, and then change it in every system that uses
|
|
it.
|
|
|
|
Passwords, secrets, and any type of credentials should only be used to
|
|
authenticate a single entity (a person or a system).
|
|
|
|
If you allow third parties to authenticate as another system or person, they
|
|
can impersonate legitimate identities and undermine trust within the
|
|
organization. +
|
|
It does not matter if the impersonation is malicious: In either case, it is a
|
|
clear breach of trust in the system, as the systems involved falsely assume
|
|
that the authenticated entity is who it claims to be. +
|
|
The consequences can be catastrophic.
|
|
|
|
Keeping credentials in plain text in a code base is tantamount to sharing that
|
|
password with anyone who has access to the source code and runtime servers. +
|
|
Thus, it is a breach of trust, as these individuals have the ability to
|
|
impersonate others.
|
|
|
|
Secret management services are the most efficient tools to store credentials
|
|
and protect the identities associated with them. +
|
|
Cloud providers and on-premise services can be used for this purpose.
|
|
|
|
If storing credentials in a secret data management service is not possible,
|
|
follow these guidelines:
|
|
|
|
* Do not store credentials in a file that an excessive number of people can access.
|
|
** For example, not in code, not in a spreadsheet, not on a sticky note, and not on a shared drive.
|
|
* Use the production operating system to protect password access control.
|
|
** For example, in a file whose permissions are restricted and protected with chmod and chown.
|
|
|