Explanation
This rule detects whether a service call has a username or password parameter defined. These fields are not encrypted and may therefore cause security risks. It is only recommended to use the username and password field for test purposes. It checks service calls of type:
- AQ_RestServiceClient
- AQ_SoapServiceClient
- AQ_MailService
Possible improvements
Use encrypted values in the connection configuration in the application.properties file.
See:
• My Blueriq - Security Encrypting connection passwords
• My Blueriq - Connections Properties
Example
For this Mail service call, the authorization parameters - smtp-user and smtp-password have some example values.
This results in the following security hotspot:
Overview
Content Tools