Encrypt connection strings
Summary
The system should load encrypted database connection strings from a protected configuration file that resides separately from the source code.
Description
Database connection strings are very sensitive information because they contain credentials that often have high privileges over the systems database. Thus, these strings should not be part of the systems source code and should not be stored in plain text. They should be encrypted using a secure cryptographic algorithm and the encryption key should also be protected.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🔴 |
| Advanced | 🟢 |
References
- CWE™-259. Use of hard-coded password
- CWE™-311. Missing encryption of sensitive data
- CWE™-798. Use of hard-coded credentials
- OWASP TOP 10-A7. Identification and authentication failures
- OWASP-M TOP 10-M7. Poor code quality
- OWASP-M TOP 10-M9. Reverse engineering
- Agile Alliance-9. Continuous attention to technical excellence and good design
- BIZEC-APP-APP-07. Cross-client database access
- CERT-C-STR30-C. Do not attempt to modify string literals
- CERT-J-IDS01-J. Normalize strings before validating them
- MITRE ATT&CK®-M1013. Application developer guidance
- CMMC-AC_L2-3_1_13. Remote access confidentiality
- ISO/IEC 27002-8_28. Secure coding
- WASSEC-6_2_4_1. Command execution - Format string attack
- ISSAF-H_15_9. Network security - Intrusion detection (rule configuration and management interface)
- OWASP SCP-11. Database security
- OWASP SCP-13. Memory management
- CWE TOP 25-77. Improper neutralization of special elements used in a command (command injection)
- SWIFT CSCF-6_3. Database integrity
- SIG Core-D_6_9_1. Asset and information management
- ISO/IEC 27001-8_28. Secure coding
- SANS 25-16. Improper neutralization of special elements used in a command (command injection)
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.