Need

Avoid exposure of sensitive data

Context

• Usage of Elixir (1.10 and above) for building scalable and fault-tolerant applications
• Usage of generic packages or server types

Description

Non compliant code

        defmodule MySensitiveInfo do
  @password 'sensitive_password'
  @api_key 'API_KEY'
end
        
        

The source code contains sensitive data, including a password and an API key, hardcoded in the code. This is a bad practice as it exposes sensitive information directly in the source code, making it accessible to anyone who can access this code.

Steps

• Delete all hardcoded sensitive information from the source code.
• Change all affected access credentials where these have been exposed.
• Remove sensitive information from git logs if the code has been previously committed.
• Use environment variables or a secure key vault service to manage sensitive data.

Compliant code

        defmodule MySensitiveInfo do
  @password System.get_env('PASSWORD')
  @api_key System.get_env('API_KEY')
end
        
        

The revised code now retrieves sensitive data from environment variables, which are set outside of the application and not exposed in the source code. This avoids the direct exposure of sensitive information in the source code.

References

• 009. Sensitive information in source code