R128. Define unique data source

Requirement

All system passwords must be stored in a unique data source.

References

  1. CWE-522: Insufficiently Protected Credentials. The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

  2. OWASP-ASVS v4.0.1 V6.4 Secret Management.(6.4.1) Verify that a secrets management solution such as a key vault is used to securely create, store, control access to and destroy secrets.

  3. OWASP-ASVS v4.0.1 V6.4 Secret Management.(6.4.2) Verify that key material is not exposed to the application but instead uses an isolated security module like a vault for cryptographic operations.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy