Non-encrypted confidential information - Base 64
Need
To secure sensitive information like service credentials.
Context
- Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
- Usage of Phoenix Framework for web development
- Usage of Ecto for database interactions
Description
Non compliant code
defmodule MyApp.Config do
@db_username "c2VydmljZV91c2Vy"
@db_password "c2VydmljZV9wYXNzd29yZA=="
def get_db_credentials do
username = Base.decode64!(@db_username)
password = Base.decode64!(@db_password)
{username, password}
end
end
This code is vulnerable because it stores service credentials as Base64 encoded strings in the source code. While Base64 encoding might obscure the credentials at first glance, it is a reversible operation that does not provide any real security. Anyone with access to the code can easily decode the credentials.
Steps
- Use environment variables to store service credentials.
- Use a secure and encrypted key vault service to store sensitive data.
- Purge sensitive data from version control history.
Compliant code
defmodule MyApp.Config do
def get_db_credentials do
username = System.get_env("DB_USERNAME")
password = System.get_env("DB_PASSWORD")
{username, password}
end
end
In this secure code example, environment variables are used to store the service credentials. This means that the credentials are no longer stored in the source code and can be managed securely outside the application, for example, through the settings of the hosting environment or using an encrypted key vault service.