RG-SEC-002 Arguments Exposing Password

Description

RG-SEC-002 looks for workflow argument names that match a regular expression inidcating they contain a password and checks that they are of the data type “System.SecureString”.

This rule is configurable to cater for different search patterns.

img alt text

Password Pattern:

The regular expression pattern identifies argument names as containing passwords.

Default Pattern:
(.([Pp][aa][Ss][ss]).([Ww][oo][Pr][dd]).)|(.[Pp][ww][Dd].)|(.[Pp][aa][Ss][ss][Pp][hh][Rr][aa][Ss][ee].\*)

Impact

Password Exposure

Mitigation

Passwords, when held in arguments, must be of the type “System.SecureString”.

Description

Password Pattern:

Impact

Mitigation

Further Reading