8

I submitted my application EAR to Veracode Security scanning tool and got this flaw in the below piece of code :

private String url = "jdbc:mysql://localhost:8081/sql";  
private String userName = "xyz";  
private String password = "abc";
DriverManager.getConnection(url, user, password); // At this line i am getting this flaw.

Someone please help me on how to resolve CWE-259: Use of Hard-coded Password Flaw.

user1782009
  • 299
  • 4
  • 15
  • 32
  • Have the password be passed as a command-line parameter; or read from a config file; or hard-code the encrypted password, then decrypt and connect. – recursion.ninja Apr 14 '13 at 18:00
  • 1
    @awashburn I can't imagine hard coding a password, encrypted or not, being a good idea. If someone figures the password out, you need to get a new version of the software to change the password. I'd go with your other option, a well protected, possibly encrypted, config file. – Joachim Isaksson Apr 14 '13 at 18:17
  • 1
    @JoachimIsaksson That's why it was the last option, a quick fix that may trick the auto-validator. It's obviously still not a good idea from a security standpoint. – recursion.ninja Apr 14 '13 at 18:19
  • I already stored my all passwords to connect to the database in properties file and then getting those values in my JAVA code. – user1782009 Apr 14 '13 at 18:29

2 Answers2

5

The reason you are getting the hard-coded password flaw is because in line three of your snippet you are hard-coding your password in a variable. This is because you are storing sensitive information (username and password) in the source code, which is a flaw because your can source can be decompiled.

One way to fix this flaw is to store the credentials in a strongly encrypted file, or apply strong one-way hashes to the credentials and store those hashes in a configuration file.

You can get more information here: http://cwe.mitre.org/data/definitions/259.html

patopop007
  • 101
  • 4
  • 1
    I have stored my passwords in a properties file and then getting that value in my JAVA code.Could you please give me example of how to apply hashes to the credentials and storing those hashes in a configuration file? – user1782009 Apr 14 '13 at 18:22
  • 1
    Someone please help me on this by giving some examples to resolve this issue. – user1782009 Apr 22 '13 at 06:04
-6

string Password = new Securestring("123").GetValue().

 class Securestring {
     private readonly string _password;

     public Securestring(string value) {
         _password = value;
     }

     public string GetValue() {
         return _password;
     }
 }
Dovydas Šopa
  • 2,282
  • 8
  • 26
  • 34
mahen
  • 165
  • 3
  • 16