RG-SEC-001 Variables Exposing Password

Description

RG-SEC-001 looks for variable names within workflows that match a regular expression inidcating they contain a password and checks that they are of the data type “System.SecureString”.

This rule is configurable to cater for different search patterns.

img alt text

Password Pattern:

The regular expression pattern identifies variable names as containing passwords.

Default Pattern:
(.([Pp][Aa][Ss][Ss]).([Ww][Oo][Pr][Dd]).)|(.[Pp][Ww][Dd].)|(.[Pp][Aa][Ss][Ss][Pp][Hh][Rr][Aa][Ss][Ee].*)

Impact

Password Exposure

Mitigation

Passwords, when held in variables, must be of the type “System.SecureString”.

Description

Password Pattern:

Impact

Mitigation

Further Reading