1

I have an application that has an image upload feature, the images are stored on a 3rd party service which is basically an SFTP server. The credentials for accessing this storage were initially hard-coded in the java service class itself, and to secure it, I am planning to keep the SFTP server credentials in a password vault(CyberArk) and then retrieve the credential programmatically (when the application starts up) using the cyberArk REST API and certificate auth method. After retrieving the credentials from the vault, I plan to keep the password in memory and use it for subsequent communication with the SFTP server. Is this the correct approach? Or will this still be a security risk?

Note1: this is a Java Struts2 application and deployed as a war on JBoss server.

Note2: I read in some places that its safer to use char array instead of a string to store a password, but not sure if that is enough.

Roman C
  • 49,761
  • 33
  • 66
  • 176
soumitra goswami
  • 818
  • 6
  • 29

1 Answers1

2

If someone has access to perform a memory dump (java heap dump or OS-level dump) they can get the password. This is true if you store it as a string and if you store it as a character array.

A character array is better because you can clear the data (set the characters in the array to 0 or some other value) when you are done with it to get rid of the sensitive values. However, if you have obtained the password with a REST call there may well be a string with it somewhere already, so this may just provide a false sense of security.

On the other hand, if someone can dump your memory to get the cached password they can probably obtain the credentials for calling the cyberArk API as well? So you may be better served focusing on locking down the server and keeping the password cached. Your call, really.

ewramner
  • 5,810
  • 2
  • 17
  • 33
  • `However, if you have obtained the password with a REST call there may well be a string with it somewhere already` wasn't aware of this- can you explain this a bit more, not sure where and how this string will be stored, and how it can be accessed ,also the REST call itself will be using https – soumitra goswami Mar 02 '23 at 09:43
  • 1
    The REST call probably returns JSON, which may have an intermediate string representation. Regardless, the Java object that the JSON is translated into most likely has a String field for the password, right? If it does, that String can remain on the heap or in the java string pool (https://www.baeldung.com/java-string-pool) just as a String created by you would do. If the String is already there, converting it to a char array makes no difference. The original is still there and can remain for quite some time. The protocol used for the call makes no difference here. – ewramner Mar 02 '23 at 12:09