Missing database password detected

Overview

Rule ID: java_lang_empty_database_password
Applicable Languages: Java
Weakness ID: CWE-306

Description

Leaving a database password empty exposes the database to unauthorized access and manipulation. Implementing strong authentication measures is crucial to safeguard database content.

Remediation Guidelines

Do not configure database servers without setting a password, as this leaves the database vulnerable to unauthorized access.
Adopt secure password management practices. Use a Key Management Service (KMS) to handle database passwords securely, ensuring they are not exposed in application code or configuration files.

References

OWASP hardcoded passwords
CWE-306: Missing Authentication for Critical Function
OWASP Top 10: A07:2021 - Identification and Authentication Failures

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousMissing authentication for database NextMissing HTTP Only Option in Cookie Configuration

Last updated 1 month ago