Versions Compared

Old Version 1

changes.mady.by.user Unknown User (a.szuflicki)

Saved on

compared with

New Version Current

changes.mady.by.user Unknown User (a.szuflicki)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Explanation

This rule detects whether a service call or rest service has a URL username or host and port password parameter defined. Having a URL or host and port defined in the model may result in unexpected behaviorThese fields are not encrypted and may therefore cause security risks. It is only recommended to use the URL
parameter username and password field for test purposes. It checks service calls of type: 

  • AQ_RestServiceClient
  • AQ_SoapServiceClient
  • AQ_MailService

Possible improvements

Configure Use encrypted values in the connection configuration in the application.properties file only. This adds the possibility to make the URL dependent on the environment.
See: https://my.blueriq.com/display/DOC/Connections+
See:
 My Blueriq - Security Encrypting connection passwords
 My Blueriq - Connections Properties

Example

For this SOAP Mail service call, the value of URL is set to the "www.example.com". authorization parameters - smtp-user and smtp-password have some example values.

Image AddedImage Removed

This results in the following security hotspot:

Image RemovedImage Added