Description

The encryption key is stored in the source code in plain text and is not obtained from a secure source that guarantees its confidentiality.

Impact

- Generate an elaborate brute-force attack on the applications encrypted messages. - Open easily information of a company, web and API security to sensitive data exposure.

Recommendation

It is recommended to load encryption keys from: - A key vault service. - A configuration file that is properly encrypted. - Administrative environment variables.

Threat

Unauthorized user obtaining the encryption key directly from the application repository or an application file.

Expected Remediation Time

⏱️ 45 minutes.

Requirements

Fixes