Friday, July 26, 2013

A Note for Code Developers

Today's post is very simple: if you are going to write code, don't embed privileged usernames and passwords in the code. And if you must hard-code a password, for crying out loud, don't store the code with passwords on a public code repository!

https://github.com/search?p=1&q=mysqldump+-p&ref=searchresults&type=Code


Nearly 10,000 examples of code on GitHub with the mysql database password written in cleartext in the code. Many of the code samples show a username of root ... might that also be the root account and password for the system itself?

Sure, many times an application needs to access a database and the end user doesn't need to have an account. But instead of coding the root password into the application, either use a limited account that only has read access, or better yet, handle account management on the server side. If the application runs in the context of a user with appropriate credentials, then there is never a need for the application to login, and thus no need to store usernames and passwords in the source code.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.