156 – Source code without sensitive information

Summary

The source code must not contain sensitive information.

Description

Sensitive data is often included in the source code during early development stages for practicality or due to a lack of early architecture. This data includes credentials, secrets, cryptographic keys, personal identification numbers and other personal information. Following secure programming practices, none of this information should be present in the source code, as a leak could put critical systems in jeopardy.

Supported In

Essential: True

Advanced: True

References

• CWE-259. Use of hard-coded password
• CWE-540. Inclusion of sensitive information in source code
• CWE-615. Inclusion of sensitive information in source code comments
• CWE-798. Use of hard-coded credentials
• EPRIVACY-4_1a. Security of processing
• GDPR-25_1. Data protection by design and by default
• GDPR-R51. Protecting sensitive personal data
• OWASP10-A2. Cryptographic failures
• AGILE-9. Continuous attention to technical excellence and good design
• NYSHIELD-5575_B_2. Personal and private information
• MITRE-M1013. Application developer guidance
• CMMC-AT_L2-3_2_1. Role-based risk awareness
• ISO27002-8_28. Secure coding
• NISTSSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
• NISTSSDF-PW_5_1. Archive and protect each software release
• ISSAF-T_6_10. Web application assessment - Test view source bugs
• ISSAF-U_15. Web application SQL injections – Countermeasures
• OWASPSCP-8. Data protection
• BSAFSS-SI_1-2. Avoid architectural weaknesses of authentication failure
• OSAMM-ST. Security Testing
• PCI-6_5_5. Changes to all system components are managed securely
• SIGLITE-SL_89. Is there a formal Software Development Life Cycle (SDLC) process?
• SIG-I_2_1. Application security
• ASVS-2_10_4. Service authentication
• ASVS-6_4_2. Secret management
• ISO27001-8_28. Secure coding
• CASA-2_10_4. Service Authentication
• CASA-6_4_2. Secret Management

Weaknesses

• 138 – Inappropriate coding practices
• 142 – Sensitive information in source code - API Key
• 326 – Sensitive information in source code - Dependencies
• 359 – Sensitive information in source code - Credentials
• 367 – Sensitive information in source code - Git history
• 432 – Inappropriate coding practices - relative path command
• 439 – Sensitive information in source code - IP
• 009 – Sensitive information in source code

Last updated

2024/02/09