...
Do not hard code sensitive data in programs.
Hard coding sensitive data is considered very bad programming practice because it enforces the requirement of the development environment to be secureSee MSC41-C. Never hard code sensitive information for details.
Disable memory dumps.
Memory dumps are automatically created when your program crashes. They can contain information stored in any part of program memory. Therefore, memory dumps should be disabled before an application is shipped to users. See MEM06-C. Ensure that sensitive data is not written out to disk for details.
...
Tool | Version | Checker | Description | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
CodeSonar |
| HARDCODED.AUTH HARDCODED.KEY HARDCODED.SALT MISC.CRYPTOPWD.NOPADPLAIN MISC.PWD.PLAINPLAINTRAN | Hardcoded Authentication Hardcoded Crypto Key Hardcoded Crypto SaltEncryption without PaddingPlaintext Storage of Password Plaintext Storage of PasswordTransmission of Password | |||||||||||
PC-lint Plus |
| 586 | Partially supported: reports functions that read passwords from the user or that take a password as an argument instead of prompting the user as well as insecure password erasure | |||||||||||
Polyspace Bug Finder |
|
| Checks for:
| Sensitive data not cleared or released by memory routine Variable in stack is not cleared and contains sensitive data Function is not reentrant or uses a risky encryption algorithm Encryption or decryption key is constant instead of randomized or generated from a weak random number generator Initialization vector is constant instead of randomized | Rec. partially covered. |
Related Guidelines
CERT Oracle Secure Coding Standard for Java | MSC03-J. Never hard code sensitive information | ||
CERT C Secure Coding Standard | MSC41 | c | MSC31-C. Never hard code sensitive information |
MITRE CWE | CWE-259, Use of Hard-coded Password CWE-261, Weak Cryptography for Passwords CWE-311, Missing encryption of sensitive data CWE-319, Cleartext Transmission of Sensitive Information CWE-321, Use of Hard-coded Cryptographic Key CWE-326, Inadequate encryption strength CWE-798, Use of hard-coded credentials |
...