search

d3fend / d3fend-ontology

This repository holds the necessary content to produce the D3FEND ontology distribution.
https://d3fend.mitre.org
MIT License
57 stars 26 forks source link

Eliminate Credentials In Code #170

Open AashiqRamachandran opened 1 year ago

AashiqRamachandran commented 1 year ago

Eliminate Credentials In Code

Digital Artifacts

Eliminate Credentials In Code Evicts Credential

Definition

Remove any “credentials” or “access keys” from compiled source code.

How it works

Credentials, or secrets in compiled code, can lead to compromise of target services. Credentials in code must be detected and eliminated promptly. Credentials apart from being eliminated must also be disabled once it's made its way into git/ version control history. Credentials are always to be accessed via a secret manager, and not to be held in persistent memory in an un-encrypted form

Considerations

While configuring a credential manager, it is important to handle role accesses, and credential keys correctly to ensure unauthorized entities are not able to access stored credentials

Contributed By:

Aashiq Ramachandran, Cyware Labs

MITRE D3FEND Tactic:

Harden

netfl0 commented 8 months ago

@hack-sentinel

Credentials might be in software, need to consider modeling that.