Usage of hard-coded database password

Overview

• Rule ID: java_lang_hardcoded_database_password

• Applicable Languages: Java

• Weakness ID: CWE-259

Description

Hard-coding database passwords presents a substantial security threat. Including passwords directly in your code increases the risk of unauthorized database access if the codebase is compromised.

Remediation Guidelines

• Avoid embedding database passwords directly in your code, as this practice is insecure and exposes your database to potential unauthorized access. For example, using code like:

  Copy

  Connection conn = DriverManager.getConnection(url, "admin", "secret");
  

• Instead, use environment variables to store sensitive information such as database passwords. This method keeps credentials out of your codebase, making them easier to manage securely.

• Do consider implementing a key-management system to securely handle passwords and other sensitive information, providing enhanced security measures for managing and accessing credentials.

References

• OWASP hardcoded passwords

• CWE-259: Use of Hard-coded Password

• OWASP Top 10: A07:2021 - Identification and Authentication Failures

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL