A company wants to securely manage the APIs that were developed for its in-house applications. Previous penetration tests revealed that developers were embedding unencrypted passwords in the code. Which of the following can the company do to address this finding? (Choose two.)
To address the finding of unencrypted passwords embedded in the code, the company should implement measures that directly mitigate this risk. First, implementing complex, key-length API key management ensures that API keys are strong and not easily compromised. By using secure API keys instead of passwords, the risk associated with hardcoded passwords is substantially reduced. Second, implementing time-based API key management involves regularly rotating or changing the API keys, which further mitigates the risk by ensuring any compromised keys have a limited validity period. Together, these strategies enhance API security and address the specific issue of embedded unencrypted passwords.
This one took some thought, but then it became clear. The only problem stated in the question was the plain text passwords in code. So how do you remove passwords from APIs? API Keys to replace the passwords! A and C are the only options that make sense and they both can be applied at the same time. B. This may help us detect misuse, but why wait for an issue to happen when you can mitigate the risk with API keys? D. This one is just irrelevant. E. This answer would be perfect if it said SAST or IAST instead of DAST. DAST's don't scan source code. F. MFA only secures the computers, the clear text passwords are within an API so they are still going across the network.
E. Incorporate a DAST (Dynamic Application Security Testing) into the DevSecOps process to identify the exposure of secrets. This will help the company to identify the potential vulnerabilities in the API codes and take necessary measures to address them. F. Enforce MFA (Multi-Factor Authentication) on the developers’ workstations and production systems. This will ensure that the authentication process is more secure and reduce the chances of unencrypted passwords being embedded in the code.
The company can address the finding by choosing the following two options: A. Implement complex, key-length API key management. API key management involves generating, distributing, and revoking API keys. By implementing complex, key-length API key management, the company can ensure that only authorized entities have access to the APIs. This can help prevent unauthorized access and reduce the risk of sensitive information, such as passwords, being embedded in the code. E. Incorporate a DAST (Dynamic Application Security Testing) into the DevSecOps process to identify the exposure of secrets. DAST is a testing process that involves inspecting an application in its running state for security vulnerabilities. By incorporating DAST into the DevSecOps process, the company can identify instances where secrets, such as passwords, are being exposed in the code. This can help the company address these issues before the application is deployed.
after multiple run throughs and question, DAST would not be correct because Dynamic analysis and testing will not look at the source code for embedded information. So E is out of the question. In consideration we can look at the Application Programming Interface though and implement key management for passwords. This way there is encryption and integrity. B - Session logs wouldn't help the situation C - Key management is already being worked on why not enhance it even more since its resolving the current issues identified D - SOAP is just a joke in this situation E - already discussed F - Another great form of security but focuses on the workstation and not the application. If it directed towards MFA with the application it would be correct
Changing to E and F for these reasons: E. Incorporate a DAST into the DevSecOps process to identify the exposure of secrets: Dynamic Application Security Testing (DAST) tools can identify vulnerabilities, including the exposure of secrets, during runtime. They simulate attacks on a running application to discover security issues. In this context, DAST can help identify instances where passwords are exposed. F. Enforce MFA on the developers’ workstations and production systems: Multi-Factor Authentication (MFA) adds an extra layer of security to access control. Enforcing MFA on developer workstations and production systems can help mitigate the risk of unauthorized access, especially if passwords are compromised. While MFA doesn't directly prevent embedding passwords, it enhances overall access security.
I know a Chat GPT response when I see one. lol I think your first answer was right though. AC
I'm going with A and C. I don't see how the others are relevant to the question's specifics. DAST doesn't look at source code so you'd need SAST.
for sure E is part of the answer (DAST). I think the next part of the answer is C because it would eliminate the need to hard code unencrypted passwords in code. maybe the devs are doing that because they have to in order for the API to work.
MFA makes no sense here. It does nothing for hardcoded secrets in code.
Lol, I may not know everything but I know this question has NOTHING to do with MFA at all. "Developers are doing bad coding so... make sure they use authy to log into their laptop??? What???" E. DAST is what they're already doing--thats how they discovered the security issue. Keep doing it to make sure the developers don't do something else stupid. C. There's OBVIOUSLY no key management going on here. The Developers are just writing passwords into the source code, which will break the API when they keys change. In order to fix the problem, use a time-based key management strategy (sometimes called SECRET ROTATION if you're using SECRETS MANAGER). This will cause the keys to cycle every X amount of time, which means if the developers keep trying to hard code passwords, those passwords will require regular update in the source code, and before long they'll realize it's easier just to source the key directly from the secrets manager than to keep updating their source code. This solution forces the developers to do their job correctly, and is in alignment with industry best practices.
Based on the given scenario, the two BEST solutions to address the finding of unencrypted passwords embedded in code are: E. Incorporate a DAST into the DevSecOps process to identify the exposure of secrets: Dynamic Application Security Testing (DAST) can help detect vulnerabilities in an application's API security, including issues with password management. By incorporating DAST into the DevSecOps process, the company can identify the exposure of secrets and other vulnerabilities early in the development cycle. F. Enforce MFA on the developers’ workstations and production systems: Multi-Factor Authentication (MFA) can help prevent unauthorized access to systems and applications. By enforcing MFA on the developers’ workstations and production systems, the company can reduce the risk of attackers gaining access to sensitive information and passwords.
A. Implement complex, key-length API key management: This ensures that API keys are strong and secure, making it harder for attackers to guess or brute-force them. Complex and sufficiently long keys reduce the risk of unauthorized access. E. Incorporate a DAST into the DevSecOps process to identify the exposure of secrets: Dynamic Application Security Testing (DAST) tools can scan running applications to detect vulnerabilities, including the exposure of sensitive information such as unencrypted passwords. Integrating DAST into the DevSecOps pipeline helps in identifying and addressing these security issues early in the development process.
I believe C & E are the best answers for these reasons: C. Implement time-based API key management: Time-based API key management involves issuing API keys that have a limited validity period. This approach reduces the risk associated with compromised or leaked keys because they automatically expire after a certain timeframe. It's a practical approach to mitigating the impact of potential exposure of API keys, including unencrypted passwords embedded in code. E. Incorporate a DAST into the DevSecOps process to identify the exposure of secrets: Dynamic Application Security Testing (DAST) tools are crucial for identifying vulnerabilities in deployed applications and APIs. While they don't directly inspect source code, they perform black-box testing to simulate attacks and identify potential security weaknesses, including exposed secrets like unencrypted passwords in APIs.
Here's why I don't think it's A. Implement complex, key-length API key management: While strong and complex API keys are important for security, they do not directly mitigate the risk of embedding unencrypted passwords in code. This answer choice focuses more on the strength and complexity of keys rather than addressing the specific issue of unencrypted passwords.
To address the finding of unencrypted passwords embedded in the code for API management, the company can take the following actions: Implement time-based API key management (Option C): Time-based API key management involves regularly rotating or changing the API keys, reducing the impact of compromise if keys are exposed. This is especially important if developers are embedding unencrypted passwords in the code. Incorporate a DAST into the DevSecOps process to identify the exposure of secrets (Option E): Dynamic Application Security Testing (DAST) involves scanning applications during runtime to identify security vulnerabilities, including the exposure of secrets. By incorporating DAST into the DevSecOps process, the company can regularly scan the APIs for security issues, including the presence of unencrypted passwords. Options A, B, D, and F are not directly addressing the issue of unencrypted passwords in the code
The options that can address the finding of unencrypted passwords in the code are: B. Implement user session logging: This option is useful for tracking the activities of users and developers. It can help identify which users are accessing the API and monitor their session activities. E. Incorporate a DAST into the DevSecOps process to identify the exposure of secrets: This option is useful for identifying potential security vulnerabilities in the API code. By using a dynamic application security testing (DAST) tool, developers can scan the API code to detect any exposed secrets or unencrypted passwords.