Source code without sensitive information
Summary
The source code must not contain sensitive information.
Description
Sensitive data is often included in the source code during early development stages for practicality or due to a lack of early architecture. This data includes credentials, secrets, cryptographic keys, personal identification numbers and other personal information. Following secure programming practices, none of this information should be present in the source code, as a leak could put critical systems in jeopardy.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🟢 |
| Squad | 🟢 |
References
- CWE™-259. Use of hard-coded password
- CWE™-540. Inclusion of sensitive information in source code
- CWE™-615. Inclusion of sensitive information in source code comments
- CWE™-798. Use of hard-coded credentials
- ePrivacy Directive-4_1a. Security of processing
- GDPR-25_1. Data protection by design and by default
- GDPR-R51. Protecting sensitive personal data
- OWASP TOP 10-A2. Cryptographic failures
- Agile Alliance-9. Continuous attention to technical excellence and good design
- NY SHIELD Act-5575_B_2. Personal and private information
- MITRE ATT&CK®-M1013. Application developer guidance
- CMMC-AT_L2-3_2_1. Role-based risk awareness
- ISO/IEC 27002-8_28. Secure coding
- NIST SSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
- NIST SSDF-PW_5_1. Archive and protect each software release
- ISSAF-T_6_10. Web application assessment - Test view source bugs
- ISSAF-U_15. Web application SQL injections – Countermeasures
- OWASP SCP-8. Data protection
- BSAFSS-SI_1-2. Avoid architectural weaknesses of authentication failure
- OWASP SAMM-IR_3. Code review process to discover language-level and application-specific risks
- PCI DSS-6_5_5. Changes to all system components are managed securely
- SIG Lite-SL_89. Is there a formal Software Development Life Cycle (SDLC) process?
- SIG Core-I_2_1. Application security
- OWASP ASVS-2_10_4. Service authentication
- OWASP ASVS-6_4_2. Secret management
- ISO/IEC 27001-8_28. Secure coding
- CASA-2_10_4. Service Authentication
- CASA-6_4_2. Secret Management
Vulnerabilities
- 009. Sensitive information in source code
- 138. Inappropriate coding practices
- 142. Sensitive information in source code - API Key
- 326. Sensitive information in source code - Dependencies
- 359. Sensitive information in source code - Credentials
- 367. Sensitive information in source code - Git history
- 432. Inappropriate coding practices - relative path command
- 439. Sensitive information in source code - IP
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.