Authentication

This repo contains all types of security best practices for handling authentication

1. How to handle secure password while connecting with the Database ?

Instead of hardcoding passwords, using env variable would be much better . Let's take example with Django and python

Problem

Hard code passwords can lead to security vulnerability which is significant security risk
Flexibility issue : can't be modified password without modifying code or client side
Version control Issue : storing hardcoded password in VS repo, with multiple access can lead to security risk

// Non compliant code 


# settings.py

DATABASES = {
    'postgresql_db': {
        'ENGINE': 'django.db.backends.postgresql',
        'NAME': 'quickdb',
        'USER': 'sonarsource',
        'PASSWORD': '', # Noncompliant
        'HOST': 'localhost',
        'PORT': '5432'
    }
}

// complaint solution


# settings.py
import os

DATABASES = {
    'postgresql_db': {
        'ENGINE': 'django.db.backends.postgresql',
        'NAME': 'quickdb',
        'USER': 'sonarsource',
        'PASSWORD': os.getenv('DB_PASSWORD'),
        'HOST': 'localhost',
        'PORT': '5432'
    }
}

Let's take another DB example for MySQL connection

// Non Compliant  code

from mysql.connector import connection

connection.MySQLConnection(host='localhost', user='sonarsource', password='')

// Compliant code

from mysql.connector import connection
import os

db_password = os.getenv('DB_PASSWORD')
connection.MySQLConnection(host='localhost', user='sonarsource', password=db_password)

References

CWE

OWASP

PreviousAzure SAST Rules NextDocker

Last updated 6 months ago

Authentication

This repo contains all types of security best practices for handling authentication

1. How to handle secure password while connecting with the Database ?

Instead of hardcoding passwords, using env variable would be much better . Let's take example with Django and python

Problem

Hard code passwords can lead to security vulnerability which is significant security risk
Flexibility issue : can't be modified password without modifying code or client side
Version control Issue : storing hardcoded password in VS repo, with multiple access can lead to security risk

// Non compliant code 


# settings.py

DATABASES = {
    'postgresql_db': {
        'ENGINE': 'django.db.backends.postgresql',
        'NAME': 'quickdb',
        'USER': 'sonarsource',
        'PASSWORD': '', # Noncompliant
        'HOST': 'localhost',
        'PORT': '5432'
    }
}

// complaint solution


# settings.py
import os

DATABASES = {
    'postgresql_db': {
        'ENGINE': 'django.db.backends.postgresql',
        'NAME': 'quickdb',
        'USER': 'sonarsource',
        'PASSWORD': os.getenv('DB_PASSWORD'),
        'HOST': 'localhost',
        'PORT': '5432'
    }
}

Let's take another DB example for MySQL connection

// Non Compliant  code

from mysql.connector import connection

connection.MySQLConnection(host='localhost', user='sonarsource', password='')

// Compliant code

from mysql.connector import connection
import os

db_password = os.getenv('DB_PASSWORD')
connection.MySQLConnection(host='localhost', user='sonarsource', password=db_password)

References

CWE

OWASP

PreviousAzure SAST Rules NextDocker

Last updated 6 months ago