Veracode static security scan

Posts   
 
    
Jonson
User
Posts: 8
Joined: 15-May-2007
# Posted on: 07-Mar-2019 12:08:19   

Hi. I am using LLBLGen Pro version 4.2 Final (November 29th, 2016). Our system was recently subject to a static security scan due a potential pilot for a new customer. They used Veracode scanning software and one of the very high risk issues reported was "Use of Hard-coded Password" (CWE ID 259) in sd.llblgen.pro.dqe.sqlserver.dll (sqlserverspecificcreator.cs 141). Our version of this file is 4.2.15.827.

Any suggestions on how to mitigate (we obviously don't want to stop using LLBLGen wink )

Otis avatar
Otis
LLBLGen Pro Team
Posts: 39588
Joined: 17-Aug-2003
# Posted on: 07-Mar-2019 13:15:25   

Could you elaborate abit what 'use of hard-coded password' means? As there's no hard-coded password in the file. simple_smile I'm not familiar with the scanner you've used so I don't know the exact context of the issue it found.

Does it refer to the fact it supports connection strings with passwords? If so you can use windows accounts to connect to SQL Server (don't need a password specified in the connection string).

Frans Bouma | Lead developer LLBLGen Pro
Jonson
User
Posts: 8
Joined: 15-May-2007
# Posted on: 07-Mar-2019 14:04:12   

Well, I am not that familiar with this Veracode application either. This (hopefully) future customer requires that all software they install must be "secure" in the sense of best practices and standards like CWE, SANS and OWASP. The customer uses this Veracode software for this validation.

The description of the issue in the report is as follows:

Use of Hard-coded Password (CWE ID 259)

A method uses a hard-coded password that may compromise system security in a way that cannot be easily remedied. The use of a hard-coded password significantly increases the possibility that the account being protected will be compromised. Moreover, the password cannot be changed without patching the software. If a hard-coded password is compromised in a commercial product, all deployed instances may be vulnerable to attack. Recommendations Store passwords out-of-band from the application code. Follow best practices for protecting credentials stored in locations such as configuration or properties files.

It sounds that this Veracode software is just reporting a false positive then?

Otis avatar
Otis
LLBLGen Pro Team
Posts: 39588
Joined: 17-Aug-2003
# Posted on: 07-Mar-2019 16:55:36   

yes it can only be a false positive, I have no other explanation. The sourcecode of the runtime is available to you if you want to have a look simple_smile (My account -> Downloads -> Version -> Extras section).

Reading that explanation I'm curious what method they flagged simple_smile Even the connection string is used as-is, we don't break it up so there's not even a notion of a password or userid in the runtime anywhere...

Frans Bouma | Lead developer LLBLGen Pro
Jonson
User
Posts: 8
Joined: 15-May-2007
# Posted on: 08-Mar-2019 09:12:31   

Thanks Otis, think I have what I need to dispute this report wink

Otis avatar
Otis
LLBLGen Pro Team
Posts: 39588
Joined: 17-Aug-2003
# Posted on: 08-Mar-2019 09:34:51   

simple_smile If they have more questions, let me know simple_smile

Frans Bouma | Lead developer LLBLGen Pro