...
There are a few cases where you may be forced to encrypt passwords or store them as cleartext. These cases will happen when you are extending code or an application that you cannot change. For example, a password manager may need to input passwords into other programs as cleartext. Another example is if you are working with a library that gives you the password as a Java string object, causing the same vulnerability as in the second noncompliant example. In these cases your best strategy may be to use slightly vulnerable methods such as encryption, unless you can change the other code.
Risk Assessment
Violations of this rule could be detected automatically but may require substantial redevelopment effort if functions must be revised to accept different parameter types. Noncompliance may lead to concurrency violations that put data integrity at risk and may also result in abnormal program termination.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
CON40-C | medium | unlikely | medium | P4 | L3 |