Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
For a coder racing against the clock, it’s tempting to embed credentials right inside one’s work. Hardcoded passwords speed up access when development requires entry to another application.
But slow down and hold your hardcoded horses! The workaround speeds testing at the expense of security—as demonstrated by recent reports and advisories from tech vendors.
“If you are hardcoding credentials, and you make the mistake of uploading your project into a public repo, and that public repo now has credentials for a corporate environment, that’s concerning, and that’s one of the risks of hardcoding credentials: It makes it much easier for a bad actor to access your environment,” Ed Lewis, practice director of secure development and cloud transformation at cyberadvisory Optiv, told IT Brew.
Security is hard! In January 2024, TechCrunch reported the leak of a Mercedes-Benz authentication token in a public GitHub repository. SolarWinds, on August 23, addressed a “hardcoded credential vulnerability” in its Web Help Desk software.
A May 2023 study from security-scanning company GitGuardian of 507 IT and security decision-makers in the US and UK found that 47% of respondents identified “hard-coded secrets” as key supply-chain risks.
Though Daniel dos Santos, senior director of security research at Forescout Technologies, said enterprise software has improved, hardcoded credentials still happen, especially with embedded IoT systems that combine hardware and software for a specific function.
“Lots of those embedded devices have even older code bases than the enterprise software,” dos Santos told IT Brew.
A 2022 report from Vedere Labs, the cybersecurity research arm of Forescout Technologies, identified 56 vulnerabilities affecting devices from 10 operational technology (OT) vendors, six revealed hardcoded credentials, and three exposed hardcoded cryptographic keys.
“A secret password was an acceptable risk when the only way to access your device was by soldering a header onto a circuit board,” Andrew Cornwall, senior analyst at Forrester, wrote in an email to IT Brew. “With the rise of IoT devices and demand for connectivity, the risk has changed. Devices are accessible over the network, and the network includes bad actors.”
Process and tooling! Optiv’s Lewis said he sees hardcoded credentials in orgs that have immature “DevSecOps,” an application-development method integrating security practices throughout the software-development process. He recommends communication and collaboration between security and development teams, to emphasize that hardcoding is unacceptable.
Static application security testing (SAST) tools scan for hard-coded credentials, according to Cornwall.
Vendors like HashiCorp, CyberArk, and Azure offer secrets-management services—a centralized repository of credentials that facilitate access to an org’s infrastructure.
For Lewis, defenses include process and tooling.
In addition to education, Lewis said that a secrets manager exchanges information into an application or script, “without the need for the developer or anyone else actually seeing that underlying information.”
“Build in that freedom within a framework so that different development teams can use different tools, but they’re still aligning under an overarching framework which has security best practices baked in,” he added.