Enabled Default Credentials
Need
Prevent unauthorized access to system resources using default credentials.
Context
- Usage of Elixir (v1.11+) for building scalable and fault-tolerant applications
- Usage of PostgreSQL Database for data storage and retrieval
Description
Non compliant code
config :my_app, MyApp.Repo,
database: "my_app_prod",
username: "postgres",
password: "postgres",
hostname: "localhost"
This is the configuration for a PostgreSQL database in an Elixir application. The username and password are set to 'postgres', which are commonly used default credentials. If an attacker knows or guesses that the application is using these default credentials, they can gain unauthorized access to the database.
Steps
- Change the default credentials to a unique, strong username and password.
- Store the new credentials securely. Do not hard-code them into your application. Consider using environment variables or a secure credential storage solution.
Compliant code
config :my_app, MyApp.Repo,
database: "my_app_prod",
username: System.get_env("DB_USERNAME"),
password: System.get_env("DB_PASSWORD"),
hostname: "localhost"
In the secure example, the username and password are not hard-coded into the application. Instead, the application retrieves them from environment variables. This helps to keep the credentials secure.