The source code must not contain sensitive information.
Sensitive data is often included in the source code during early development stages for practicality or due to a lack of early architecture. This data includes credentials, secrets, cryptographic keys, personal identification numbers and other personal information. Following secure programming practices, none of this information should be present in the source code, as a leak could put critical systems in jeopardy.
CWE-259: Use of Hard-coded Password: The software contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
CWE-321: Use of Hard-coded Cryptographic Key: The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
CWE-522: Insufficiently Protected Credentials: The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
CWE-540: Inclusion of Sensitive Information in Source Code: Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.
CWE-615: Inclusion of Sensitive Information in Source Code Comments: While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc.
CWE-798: Use of Hard-coded Credentials: The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Directive 2002 58 EC (amended by E-privacy Directive 2009 136 EC). Art. 4: Security of processing.(1a): The measures referred to in paragraph 1 shall at least protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure.
GDPR. Art. 25: Data protection by design and by default.(1): The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures.
GDPR. Recital 51: Protecting sensitive personal data: Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms.
OWASP Top 10 A3:2017-Sensitive Data Exposure: Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.13): Verify all code including third-party binaries, libraries, frameworks are reviewed for hardcoded credentials (backdoors).
OWASP-ASVS v4.0.1 V2.10 Service Authentication Requirements.(2.10.3): Verify that passwords are stored with sufficient protection to prevent offline recovery attacks, including local system access.
OWASP-ASVS v4.0.1 V2.10 Service Authentication Requirements.(2.10.4): Verify passwords, integrations with databases and third-party systems, seeds and internal secrets, and API keys are managed securely and not included in the source code or stored within source code repositories.
OWASP-ASVS v4.0.1 V6.4 Secret Management.(6.4.1): Verify that a secrets management solution such as a key vault is used to securely create, store, control access to and destroy secrets.
OWASP-ASVS v4.0.1 V6.4 Secret Management.(6.4.2): Verify that key material is not exposed to the application but instead uses an isolated security module like a vault for cryptographic operations.