Non-encrypted confidential information - Base 64 - Elixir

Non-encrypted confidential information - Base 64 - Elixir

Need

To secure sensitive information like service credentials.

Context

  • Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
  • Usage of Phoenix Framework for web development
  • Usage of Ecto for database interactions

Description

Non compliant code

        defmodule MyApp.Config do
  @db_username "c2VydmljZV91c2Vy"
  @db_password "c2VydmljZV9wYXNzd29yZA=="

  def get_db_credentials do
    username = Base.decode64!(@db_username)
    password = Base.decode64!(@db_password)
    {username, password}
  end
end
        
        

This code is vulnerable because it stores service credentials as Base64 encoded strings in the source code. While Base64 encoding might obscure the credentials at first glance, it is a reversible operation that does not provide any real security. Anyone with access to the code can easily decode the credentials.

Steps

  • Use environment variables to store service credentials.
  • Use a secure and encrypted key vault service to store sensitive data.
  • Purge sensitive data from version control history.

Compliant code

        defmodule MyApp.Config do

  def get_db_credentials do
    username = System.get_env("DB_USERNAME")
    password = System.get_env("DB_PASSWORD")
    {username, password}
  end
end
        
        

In this secure code example, environment variables are used to store the service credentials. This means that the credentials are no longer stored in the source code and can be managed securely outside the application, for example, through the settings of the hosting environment or using an encrypted key vault service.

References