A hard-coded secret has been found in your code. You should quickly list where this secret is used, revoke it, and then change it in every system
that uses it.
Passwords, secrets, and any type of credentials should only be used to authenticate a single entity (a person or a system).
If you allow third parties to authenticate as another system or person, they can impersonate legitimate identities and undermine trust within the
organization.
It does not matter if the impersonation is malicious: In either case, it is a clear breach of trust in the system, as the systems
involved falsely assume that the authenticated entity is who it claims to be.
The consequences can be catastrophic.
Keeping credentials in plain text in a code base is tantamount to sharing that password with anyone who has access to the source code and runtime
servers.
Thus, it is a breach of trust, as these individuals have the ability to impersonate others.
Secret management services are the most efficient tools to store credentials and protect the identities associated with them.
Cloud providers
and on-premise services can be used for this purpose.
If storing credentials in a secret data management service is not possible, follow these guidelines:
- Do not store credentials in a file that an excessive number of people can access.
- For example, not in code, not in a spreadsheet, not on a sticky note, and not on a shared drive.
- Use the production operating system to protect password access control.
- For example, in a file whose permissions are restricted and protected with chmod and chown.
Noncompliant Code Example
import org.h2.security.SHA256;
String inputString = "s3cr37";
byte[] key = inputString.getBytes();
SHA256.getHMAC(key, message); // Noncompliant
Compliant Solution
Using AWS Secrets Manager:
import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient;
import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest;
import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueResponse;
import org.h2.security.SHA256;
public static void doSomething(SecretsManagerClient secretsClient, String secretName) {
GetSecretValueRequest valueRequest = GetSecretValueRequest.builder()
.secretId(secretName)
.build();
GetSecretValueResponse valueResponse = secretsClient.getSecretValue(valueRequest);
String secret = valueResponse.secretString();
byte[] key = secret.getBytes();
SHA256.getHMAC(key, message);
}
Using Azure Key Vault Secret:
import com.azure.identity.DefaultAzureCredentialBuilder;
import com.azure.security.keyvault.secrets.SecretClient;
import com.azure.security.keyvault.secrets.SecretClientBuilder;
import com.azure.security.keyvault.secrets.models.KeyVaultSecret;
import org.h2.security.SHA256;
public static void doSomething(SecretClient secretClient, String secretName) {
KeyVaultSecret retrievedSecret = secretClient.getSecret(secretName);
String secret = retrievedSecret.getValue();
byte[] key = secret.getBytes();
SHA256.getHMAC(key, message);
}
See