Avoid hard-coded password in connection string

CRITICAL

Rule Definition
The software should not have hard-coded passwords in the application code or files. Hard-coded passwords typically create a significant security hole that allows an attacker to bypass the authentication that has been configured by the software administrator. This hole might be difficult for the system administrator to detect. Even if detected, it can be difficult to fix, so the administrator may be forced into disabling the product entirely.

Remediation
Instead of explicit database password, use OS-integrated system authentication. Alternatively, store the password in an encrypted configuration file, and implement a mechanism enabling administrators to change the password. Ensure the file permissions are configured to restrict access to administrators only. Specifics for .Net: In particular, if the database supports Integrated Windows Authentication, prefer to use a Windows user over SQL user. Configure the connection string with "Trusted_Connection=True;", or "Integrated Security=SSPI;" (or "true"). Alternatively, define the application's connection string in the web.config configuration file. Typically, this should be in the connectionString attribute of an element, under the element. Encrypt the configured connection strings using: aspnet_regiis -pe "connectionStrings" -app "/YourApplication" Specifics for Java: In particular, if the database supports Integrated Authentication or Kerberos, prefer to use this over explicit credentials for the SQL user. If possible, configure the JDBC URL with "integratedSecurity=true;" and "authenticationScheme=JavaKerberos" . Alternatively, define the database password and JDBC connection parameters in an encrypted configuration file, e.g. a .properties file. Ideally, leverage the Java Application Server infrastructure to protect the database password using a specific container-provided mechanism, e.g. Oracle's Wallet, WebSphere's security.xml with CustomPasswordEncryption, or JBoss' SecureIdentityLoginModule.

Violation Code Sample

.Net sample var builder = new SqlConnectionStringBuilder(); builder.Password = "mypass"; // VIOLATION Java sample String urlJdbc = "jdbc:sqlserver://dbServer/appDb"; conn = DriverManager.getConnection(urlJdbc, "sa", "mypass"); // VIOLATION

Fixed Code Sample

.Net remediation sample var builder = new SqlConnectionStringBuilder(); //sqlUser & sqlPass read from an encrypted web.config file. builder.Password = sqlPass; // FIXED Java remediation sample String urlJdbc = "jdbc:sqlserver://dbServer/appDb"; //sqlUser & sqlPass read from an encrypted .properties file. conn = DriverManager.getConnection(urlJdbc, sqlUser, sqlPass); // FIXED

Reference

CWE-547: Use of Hard-coded, Security-relevant Constants https://cwe.mitre.org/data/definitions/547.html

Related Technologies

Health Factor

Security

Technical Criterion
CWE-798 - Use of Hard-coded Credentials

About CAST Appmarq

CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.

Benchmark Statistics

Global Compliance

nan%

Total Violations

0

Total Opportunities

0

Average Violations / App.

nan

The compliance score represents 1 minus the ratio between the number of times a rule has been violated compared to the number of opportunities in a set of applications that the rule could have been violated.

Industry Insights

Select from drop-down

99.32%

Don't Know

100.00%

Financial Services

100.00%

Want more stats? Register now!