AAAI-07

Are there any passwords/passphrases hard-coded into your systems or solutions?

Explanation

This question is asking whether your software or systems contain any passwords or passphrases that are directly written (hard-coded) into the source code, configuration files, or other system components. Hard-coded credentials are considered a significant security vulnerability for several reasons: 1. They cannot be easily changed without modifying and redeploying code 2. They are often visible to anyone with access to the source code or configuration files 3. They may be accidentally exposed in code repositories or backups 4. They bypass normal credential management and rotation processes 5. They often represent a privileged access path that circumvents authentication controls Security assessors ask this question because hard-coded credentials are a common finding in security audits and represent a high-risk vulnerability. If compromised, these credentials could provide unauthorized access to systems or data. Additionally, regulatory frameworks like PCI DSS explicitly prohibit hard-coded credentials. The best way to answer this question is to be honest about your current practices. If you do have hard-coded credentials, acknowledge them and describe your plans to remediate. If you don't have any, explain the controls you have in place to prevent them, such as code reviews, static analysis tools, or policies prohibiting this practice. Describe how credentials are properly managed instead (e.g., through environment variables, secure credential stores, or secret management systems).

Example Responses

Example Response 1

No, our organization prohibits hard-coding passwords or passphrases into any systems or solutions We enforce this through multiple controls including: (1) Regular code reviews that specifically check for credential exposure, (2) Automated static code analysis tools that scan for potential credential strings in code, (3) A secrets management platform (HashiCorp Vault) that provides secure storage and retrieval of credentials at runtime, and (4) CI/CD pipeline checks that prevent code with potential credentials from being deployed All application and system credentials are stored in our secrets management platform and are retrieved at runtime through secure API calls with appropriate authentication.

Example Response 2

No, we do not allow hard-coded passwords in our systems Instead, we use AWS Secrets Manager to store all credentials securely Our applications retrieve credentials dynamically at runtime using IAM roles and temporary access tokens We have implemented a comprehensive secrets management policy that requires all credentials to be stored in the secrets management service, with appropriate access controls and audit logging enabled We conduct quarterly reviews of our codebase using both manual code reviews and automated scanning tools (Snyk and GitGuardian) to identify any potential credential exposure Any violations of this policy are treated as high-priority security incidents requiring immediate remediation.

Example Response 3

Yes, our current system does contain some hard-coded credentials in legacy components These instances have been identified through our security assessment process and are documented in our risk register Specifically, there are three internal microservices that contain database connection strings with embedded credentials in their configuration files We recognize this as a security vulnerability and have developed a remediation plan to eliminate these hard-coded credentials by the end of the current quarter The plan includes implementing a centralized secrets management solution (Azure Key Vault), refactoring the affected components to retrieve credentials at runtime, and implementing additional controls to prevent future instances of hard-coded credentials In the interim, we have implemented compensating controls including network segmentation, strict access controls to the configuration files, and enhanced monitoring of the affected systems.

Context

Tab
Product
Category
Authentication, Authorization, and Account Management

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron