List of questions
Related questions
Question 279 - 200-901 discussion
A developer pushes an application to production. The application receives a webhook over HTTPSwithout a secret. The webhook information contains credentials to service in cleartext. When theinformation is received, it is stored in the database with an SHA-256 hash. Credentials to thedatabase are accessed at runtime through the use of a vault service. While troubleshooting, thedeveloper sets the logging to debug to view the message from the webhook. What is the securityissue in this scenario?
Database credentials should be accessed by using environment variables defined at runtime.
During the transport of webhook messages, the credentials could be unencrypted and leaked.
During logging, debugging should be disabled for the webhook message.
Hashing the credentials in the database is not secure enough; the credentials should be encrypted.
0 comments
Leave a comment first