Home
Help
Register
Log in

Search

 
   Active Threads  

You are here: Home > LLBLGen Pro > LLBLGen Pro Runtime Framework> Veracode static security scan
 

Pages: 1
LLBLGen Pro Runtime Framework
Veracode static security scan
Page:1/1 

  Print all messages in this thread  
Poster Message
Jonson
User



Location:
Iceland
Joined on:
15-May-2007 02:12:08
Posted:
8 posts
# Posted on: 07-Mar-2019 12:08:19.  
Hi.
I am using LLBLGen Pro version 4.2 Final (November 29th, 2016).
Our system was recently subject to a static security scan due a potential pilot for a new customer.
They used Veracode scanning software and one of the very high risk issues reported was "Use of Hard-coded Password" (CWE ID 259) in sd.llblgen.pro.dqe.sqlserver.dll (sqlserverspecificcreator.cs 141).
Our version of this file is 4.2.15.827.

Any suggestions on how to mitigate (we obviously don't want to stop using LLBLGen Wink )




  Top
Otis
LLBLGen Pro Team



Location:
The Hague, The Netherlands
Joined on:
17-Aug-2003 18:00:36
Posted:
37186 posts
# Posted on: 07-Mar-2019 13:15:25.  
Could you elaborate abit what 'use of hard-coded password' means? As there's no hard-coded password in the file. Regular Smiley I'm not familiar with the scanner you've used so I don't know the exact context of the issue it found.

Does it refer to the fact it supports connection strings with passwords? If so you can use windows accounts to connect to SQL Server (don't need a password specified in the connection string).


Frans Bouma
LLBLGen Pro / ORM Profiler Lead Developer | Blog | Twitter
 
Top
Jonson
User



Location:
Iceland
Joined on:
15-May-2007 02:12:08
Posted:
8 posts
# Posted on: 07-Mar-2019 14:04:12.  
Well, I am not that familiar with this Veracode application either. This (hopefully) future customer requires that all software they install must be "secure" in the sense of best practices and standards like CWE, SANS and OWASP. The customer uses this Veracode software for this validation.

The description of the issue in the report is as follows:
Quote:

Use of Hard-coded Password (CWE ID 259)

A method uses a hard-coded password that may compromise system security in a way that cannot be easily remedied.
The use of a hard-coded password significantly increases the possibility that the account being protected will be
compromised. Moreover, the password cannot be changed without patching the software. If a hard-coded password
is compromised in a commercial product, all deployed instances may be vulnerable to attack.
Recommendations
Store passwords out-of-band from the application code. Follow best practices for protecting credentials stored in locations such as configuration or properties files.


It sounds that this Veracode software is just reporting a false positive then?
  Top
Otis
LLBLGen Pro Team



Location:
The Hague, The Netherlands
Joined on:
17-Aug-2003 18:00:36
Posted:
37186 posts
# Posted on: 07-Mar-2019 16:55:36.  
yes it can only be a false positive, I have no other explanation. The sourcecode of the runtime is available to you if you want to have a look Regular Smiley (My account -> Downloads -> Version -> Extras section).

Reading that explanation I'm curious what method they flagged Regular Smiley Even the connection string is used as-is, we don't break it up so there's not even a notion of a password or userid in the runtime anywhere...


Frans Bouma
LLBLGen Pro / ORM Profiler Lead Developer | Blog | Twitter
 
Top
Jonson
User



Location:
Iceland
Joined on:
15-May-2007 02:12:08
Posted:
8 posts
# Posted on: 08-Mar-2019 09:12:31.  
Thanks Otis, think I have what I need to dispute this report Wink
  Top
Otis
LLBLGen Pro Team



Location:
The Hague, The Netherlands
Joined on:
17-Aug-2003 18:00:36
Posted:
37186 posts
# Posted on: 08-Mar-2019 09:34:51.  
Regular Smiley If they have more questions, let me know Regular Smiley

Frans Bouma
LLBLGen Pro / ORM Profiler Lead Developer | Blog | Twitter
 
Top
Pages: 1  


Powered by HnD ©2002-2007 Solutions Design
HnD uses LLBLGen Pro

Version: 2.1.12172008 Final.