Sensitive information in source code - Dependencies
Need
Protection of sensitive information in source code and dependencies
Context
• Requirement of PHP 5.6 or later for running the application
• Usage of PHP for server-side scripting and web development
Description
1. Non compliant code
<?php
return [
    /*
    |--------------------------------------------------------------------------
    | Private Key
    |...In the above PHP code, we are storing the private key directly in the application's configuration file. This is a critical security vulnerability as anyone who gains access to the source code will also have access to this private key. The private key is used for signing and verifying tokens for authentication purposes. If an attacker gains access to this key, they could potentially forge tokens and gain unauthorized access to the application. Specifically, this code is part of a Laravel backend application. Laravel is a popular PHP framework that follows the MVC (Model-View-Controller) pattern. In this case, the private key should not be stored in the codebase or any other place easily accessible. Instead, it should be stored in a secure and protected environment, such as environment variables or a secure key management system. This vulnerability is a classic example of "Sensitive information in source code" and can lead to serious security breaches if not fixed promptly.
2. Steps
• Remove the private key from the source code.
• Store the private key in a secure and protected environment, such as environment variables or a secure key management system.
• Modify the application to retrieve the private key from the secure location instead of the source code.
• Ensure the private key is not logged or output in any error messages or logs.
• Rotate the private key since it has been exposed in the source code.
3. Secure code example
<?php
return [
    /*
    |--------------------------------------------------------------------------
    | Private Key
    |...The private key has been removed from the source code and is now being retrieved from the environment variables. This is done using Laravel's `env()` helper function, which retrieves the value of an environment variable. The environment variable `PRIVATE_KEY` should be set in your `.env` file, which is not committed to the source code repository. This file should be properly secured and access to it should be restricted. ```env PRIVATE_KEY=your-private-key-here ``` This change ensures that the private key is stored in a secure and protected environment, and not in the source code. It also ensures that the private key is not logged or output in any error messages or logs. Since the private key was previously exposed in the source code, it should be rotated to a new value. This new value should be set in the `PRIVATE_KEY` environment variable in the `.env` file. Remember to never commit your `.env` file to the source code repository. It should be added to your `.gitignore` file to prevent it from being committed.