ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

During a peer review you notice that a Java properties file committed to the project's source-code repository contains the production database user name and password in clear text. To align with secure configuration management practices for credential handling, which action should the development team take?

Remove the credentials from the repository and load them at runtime from a controlled secrets vault or platform secret store that is integrated with the build and deployment pipeline.
Keep the credentials in the same file but replace them with base64-encoded strings to avoid casual inspection.
Apply a custom reversible obfuscation algorithm to the credentials before compilation so they are unreadable in the source tree.
Move the credentials into code comments and configure the build system to strip comments in release builds.

Report Issue

Answer Description

Hard-coding secrets in source code violates secure configuration management principles because the credentials are exposed to anyone who can access the repository and cannot be rotated without a code change. The recommended practice is to remove secrets from code entirely and store them in a dedicated, access-controlled secrets management mechanism (such as a vault or the platform's built-in secrets store). The application can then load the credentials at runtime through environment variables or secure APIs. Simply encoding, obfuscating, or hiding the secrets in comments does not provide real security; encoding is easily reversible, custom obfuscation is weak and hard to maintain, and comments can be recovered from version history. Therefore, migrating the credentials to a managed secrets store and referencing them securely at runtime is the correct remediation.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.