Hard coding sensitive information, such as passwords, server IP addresses, and encryption keys can expose the information to attackers. Anyone who has access to the class files can decompile them and discover the sensitive information. Leaking data protected by International Traffic in Arms Regulations (ITAR) or the Health Insurance Portability and Accountability Act (HIPAA) can also have legal consequences. Consequently, programs must not hard code sensitive information.
...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MSC03-J | High | Probable | Medium | P12 | L1 |
Automated Detection
| Tool | Version | Checker | Description | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| CodeSonar | 4.2 | FB.SECURITY.DMI_CONSTANT_DB_PASSWORD FB.SECURITY.DMI_EMPTY_DB_PASSWORD |
| JAVA.HARDCODED.PASSWD | Hardcoded Password (Java) Hardcoded constant database password Empty database password | ||||||
| Coverity | 7.5 | HARDCODED_CREDENTIALS | Implemented | ||||||||
| Fortify | 1.0 | Password_Management | Partially implemented | ||||||||
| Parasoft Jtest |
| CERT.MSC03.HCCS CERT.MSC03.HCCK CERT.MSC03.AHCA | Avoid passing hardcoded usernames/passwords/URLs to database connection methods Avoid using hard-coded cryptographic keys Avoid hard-coding the arguments to certain methods | ||||||||
| PMD | 1.0 | AvoidUsingHardCodedIP | Partially implemented | ||||||||
| PVS-Studio |
| V5331 | |||||||||
| SonarQube |
| S1313 S2068 | Partially implemented |
Related Vulnerabilities
GERONIMO-2925 describes a vulnerability in the WAS CE tool, which is based on Apache Geronimo. It uses the Advanced Encryption Standard (AES) to encrypt passwords but uses a hard-coded key that is identical for all the WAS CE server instances. Consequently, anyone who can download the software is provided with the key to every instance of the tool. This vulnerability was resolved by having each new installation of the tool generate its own unique key and use it from that time on.
...
MSC18-C. Be careful while handling sensitive data, such as passwords, in program code | |
| ISO/IEC TR 24772:2010 | Hard-coded Password [XYP] |
CWE-259, Use of Hard-Coded Password |
...