A developer pushes an application to production. The application receives a webhook over HTTPS without a secret. The web

Business, Finance, Economics, Accounting, Operations Management, Computer Science, Electrical Engineering, Mechanical Engineering, Civil Engineering, Chemical Engineering, Algebra, Precalculus, Statistics and Probabilty, Advanced Math, Physics, Chemistry, Biology, Nursing, Psychology, Certifications, Tests, Prep, and more.
Post Reply
answerhappygod
Site Admin
Posts: 899604
Joined: Mon Aug 02, 2021 8:13 am

A developer pushes an application to production. The application receives a webhook over HTTPS without a secret. The web

Post by answerhappygod »

A developer pushes an application to production. The application receives a webhook over HTTPS without a secret. The webhook information contains credentials to service in cleartext. When the information is received, it is stored in the database with an SHA-256 hash. Credentials to the database are accessed at runtime through the use of a vault service. While troubleshooting, the developer sets the logging to debug to view the message from the webhook. What is the security issue in this scenario?

A. Database credentials should be accessed by using environment variables defined at runtime.
B. During the transport of webhook messages, the credentials could be unencrypted and leaked.
C. During logging, debugging should be disabled for the webhook message.
D. Hashing the credentials in the database is not secure enough; the credentials should be encrypted.
Join a community of subject matter experts. Register for FREE to view solutions, replies, and use search function. Request answer by replying!
Top

This topic has 1 reply

You must be a registered member and logged in to view the replies in this topic.


Register Login
 
Post Reply

Return to “Archived Questions & Answers”