SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 64

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version 65

changes.mady.by.user Robert Seacord (Manager)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: done

Hard coding sensitive information, such as passwords, server IP addresses and encryption keys, can expose the information to attackers. Anyone who has access to the class files can decompile them and consequently can discover the sensitive information. Consequently, programs must not hard code sensitive information.

...

This compliant solution retrieves the password from an external file located in a secure directory. Exposure is further limited by clearing the password in memory immediately after use.

Code Block
bgColor#ccccff
class Password {
  public static void main(String[] args) throws IOException {
    char[] password = new char[100];	
    BufferedReader br = new BufferedReader(new InputStreamReader(
      new FileInputStream("credentials.txt")));

    // Reads the password into the char array, returns the number of bytes read 
    int n = br.read(password);  
    // Decrypt password, performand operationsvalidate
    for (int i = n - 1; i >= 0; i--) {  // Manually clear out the password immediately after use 
      password[i] = 0;	 
    }
    br.close();
  }
}

...

CERT C Secure Coding Standard

MSC18-C. Be careful while handling sensitive data, such as passwords, in program code

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1253d3d6aa2771de-137d56e1-424c4f52-9c7aa356-4971c997ca69a57ba586d8f3"><ac:plain-text-body><![CDATA[

[ISO/IEC TR 24772:2010

http://www.aitcnet.org/isai/]

"Hard-coded Password [XYP]"

]]></ac:plain-text-body></ac:structured-macro>

MITRE CWE

CWE ID 259, "Use of Hard-coded Password"

 

CWE ID 798, "Use of Hard-coded Credentials"

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a18d1de5ed22c655-4429f9da-46b24dfd-a64ea9fc-8fd9d4a5bbc9bcb854446d23"><ac:plain-text-body><![CDATA[

[[Chess 2007

AA. Bibliography#Chess 07]]

11.2 Outbound Passwords: Keep Passwords out of Source Code

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7a70982e8e26ec82-3e3da337-47314b76-a0069cf7-1802c92f36ea72cb7f44bf6e"><ac:plain-text-body><![CDATA[

[[Fortify 2008

AA. Bibliography#Fortify 08]]

"Unsafe Mobile Code: Database Access"

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="03d8d82b487fc3da-383c2b27-46d44290-ba00b706-7737f61389b9594cd3da2df6"><ac:plain-text-body><![CDATA[

[[Gong 2003

AA. Bibliography#Gong 03]]

9.4 Private Object State and Object Immutability

]]></ac:plain-text-body></ac:structured-macro>

...