A hard-coded secret has been found in your code. You should quickly list where this secret is used, revoke it, and then change it in every system
that uses it.
Passwords, secrets, and any type of credentials should only be used to authenticate a single entity (a person or a system).
If you allow third parties to authenticate as another system or person, they can impersonate legitimate identities and undermine trust within the
organization.
It does not matter if the impersonation is malicious: In either case, it is a clear breach of trust in the system, as the systems
involved falsely assume that the authenticated entity is who it claims to be.
The consequences can be catastrophic.
Keeping credentials in plain text in a code base is tantamount to sharing that password with anyone who has access to the source code and runtime
servers.
Thus, it is a breach of trust, as these individuals have the ability to impersonate others.
Secret management services are the most efficient tools to store credentials and protect the identities associated with them.
Cloud providers
and on-premise services can be used for this purpose.
If storing credentials in a secret data management service is not possible, follow these guidelines:
- Do not store credentials in a file that an excessive number of people can access.
- For example, not in code, not in a spreadsheet, not on a sticky note, and not on a shared drive.
- Use the production operating system to protect password access control.
- For example, in a file whose permissions are restricted and protected with chmod and chown.
Noncompliant Code Example
use Defuse\Crypto\KeyOrPassword;
function createKey() {
$password = "example";
return KeyOrPassword::createFromPassword($password); // Noncompliant
}
Compliant Solution
Modern web frameworks tend to provide a secure way to pass passwords and secrets to the code. For example, in Symfony you can use vaults to store your secrets. The secret values are referenced in the same way
as environment variables, so you can easily access them through configuration parameters.
use Defuse\Crypto\KeyOrPassword;
class PasswordService
{
private string $password;
public function setPassword(string $password): void
{
$this->password = $password;
}
public function createKey(): KeyOrPassword
{
return KeyOrPassword::createFromPassword($this->password);
}
}
See
