SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 96

changes.mady.by.user Pranjal Jumde

Saved on

compared with

New Version 97

changes.mady.by.user Fred Long

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

ToolVersionCheckerDescription
Fortify1.0

Password_Management

Password_Management__Hardcoded_Password

Partially Implemented
Coverity1.0FB.DMI_CONSTANT_DB_ PASSWORDPartially Implemented
PMD1.0AvoidUsingHardCodedIPPartially Implemented

Related Vulnerabilities

GERONIMO-2925, GERONIMO-1135 describes a vulnerability in the WAS CE tool, which is based on Apache Geronimo. It uses the Advanced Encryption Standard (AES) to encrypt passwords but uses a hard-coded key that is identical for all the WAS CE server instances. Consequently, anyone who can download the software is provided with the key to every instance of the tool. This vulnerability was resolved by having each new installation of the tool generate its own unique key and use it from that time on.

Related Guidelines

CERT C Secure Coding Standard

MSC18-C. Be careful while handling sensitive data, such as passwords, in program code

ISO/IEC TR 24772:2010

Hard-coded Password [XYP]

MITRE CWE

CWE-259. Use of hard-coded password

 

CWE-798. Use of hard-coded credentials

Android Implementation Details

Hard coded information can be easily obtained on Android by using the apktool to decompile an application or by using dex2jar to convert a dex file to a jar file.

Bibliography

[Chess 2007]

11.2, Outbound Passwords: Keep Passwords out of Source Code

[Fortify 2008]

Unsafe Mobile Code: Database Access

[Gong 2003]

9.4, Private Object State and Object Immutability

...