Secure Application to Application Password Management

Privileged Password and Privileged Session Management

According to the 2016 Verizon Data Breach Investigations report, 63% of confirmed data breaches involved weak, default or stolen passwords. In addition to insiders using valid credentials, many of these attacks include hackers that are gaining internal access by compromising desktops, gaining a foothold, and  then leveraging captured or stolen credentials to move laterally within the corporate perimeter. In response, organizations must continue make lateral movement of these attackers more difficult. Best practice recommendations include: implementing multi-factor authentication, complex password policies, enforcing unique passwords across systems, and frequently changing passwords. However, one privilege vulnerability that can be challenging to address and that is often overlooked is hard-coded passwords found within code, scripts and supporting files.

It may be for simplicity, limited security education, or lack of an alternative solution, but hard coded passwords continue to be prevalent in both legacy and newly minted software in organizations around the globe. Take for example a simple connection string command :

MyApp.getConnection(url/database, UserName, Password)

While this code will create the necessary connections used by the application, all developers who have access to the code base will also have access to the password.  However, not only does this expose the password to the internal development team, but it creates significant ongoing operational and security challenges:

  • Once the software is deployed in production, the password cannot be changed without patching the software, which can become costly and impact availability.
  • All internal users (employees, contractors, vendors) with appropriate access to this information can use this information to access unauthorized data.
  • Any hackers that have access, even to compiled solutions, can use various tools to disassemble the code, which will contain the values of the passwords used.
  • Code that contains passwords may become publicly available through libraries, externally accessible URLs, emails, posts, etc.
  • Source code is mobile. Overtime source code may be copied, moved, and stored in various locations within an organization.
  • Passwords require exceptions to best practices that includes regularly changing passwords to support security and compliance objectives.

ELIMINATING HARD CODED  PASSWORDS WITH POWERBROKER

Controlling scripts, files, code, and embedded keys helps to close back doors to your critical systems. Getting control can be a challenge, but with PowerBroker Password Safe you can eliminate hard-coded or embedded application credentials, simplify management, and better secure the organization from exploitation of those credentials. PowerBroker Password Safe is a comprehensive solution that includes functionality like application to application password management and session management at no additional charge. PowerBroker Password Safe:

  • Reduces risk by closing unknown or unmanaged back doors to your systems.
  • Allows removal of hard-coded passwords from applications and scripts
  • Provides an extensible REST interface that supports many languages, including C/C++, Perl, .NET, and Java
  • Ensures that passwords can be automatically reset upon release
  • Enforces extensive security controls to lock down access to only authorized apps

A simple step by step guide using Password Safe :

  • Create an Application Security Profile in the central console
  • Configure access policy to include factors such as location, certificate, date/time controls, and real-time alerts
  • Write script/code to replace hard-coded passwords in applications with a REST API call
  • Execute application (credentials are dynamically released through API)
  • Credentials are then released and optionally cycled
  • Application to application usage may be viewed in centralized audit log through delegated reporting mechanisms
  • From the central console, credential use may be examined to identify approved/unapproved activity

Read the complete Data Sheet!

document
Download Now