How to solve Password Management - Password in configuration
Hi I am using HP fortify to find all vulnerabilities of my App, and now i am trying to solve one that seems basic but I am not able to do it.
The problem is about password in configuration. I have an web application and inside of it in a properties file something like this.
somePassword=passwordPlainText
I agree this is wrong, then i try to obfuscate with several methods using http://www.jasypt.org/encrypting-configuration.html, OBS, CRYPT and ENC types. But I always get the same warning from fortify when i scan my code. Am I doing something wrong?
Thanks
Answer
You may find the following answer helpful. I'm assuming this might be a database password, but the same concepts apply to accessing other types of accounts.
Basic principle is that you want to avoid accidental leak of the credentials, and so put them in a place outside of code (where all developers will see it) and in a configuration file that is outside of the main code root and is carefully access controlled. Ideally, you can avoid passwords altogether by properly configuring database access according to user permissions.
Note: Fortify finds the password issue by basically grepping for "password" (and some variants). So other times this is false positive, if you just have a variable named "password" or a comment that mentions "password," but are not hard coding a password into the file.