2024 CWE Top 25 Most Dangerous Software Weaknesses: Use of Hard-coded Credentials (CWE-798)

2024 CWE Top 25 Most Dangerous Software Weaknesses: Use of Hard-coded Credentials (CWE-798)

The Common Weakness Enumeration (CWE) is an internationally recognised list of software and hardware vulnerabilities curated to guide organisations in mitigating security risks. Among the 2024 CWE Top 25 Most Dangerous Software Weaknesses, the “Use of Hard-coded Credentials” (CWE-798) stands out as a critical issue for software developers and architects. This weakness has severe ramifications for security, business continuity, and brand reputation.

This blog post delves into CWE-798, exploring its technical aspects, real-world implications, mitigation strategies, and the overarching business impact. By the end, you will be equipped with actionable insights to build more secure software systems.

Understanding CWE-798: Use of Hard-coded Credentials

What Are Hard-coded Credentials?

Hard-coded credentials refer to embedding authentication information such as usernames, passwords, API keys, or cryptographic keys directly into the source code. Developers might do this for convenience, testing, or quick deployment. However, these credentials often remain in production, creating vulnerabilities.

Why Is It Dangerous?

1. Predictability: Hard-coded credentials are static, making them predictable for attackers using reverse engineering or code scanning tools.
2. Wide Access: If discovered, these credentials can provide attackers with privileged access to systems, databases, or APIs.
3. Difficult to Update: Updating hard-coded credentials across distributed software or devices is cumbersome and error-prone.

The Prevalence of CWE-798

Statistics and Trends

According to the latest studies:

• Over 40% of data breaches in recent years have been linked to weak or exposed credentials.
• A large proportion of IoT devices rely on factory-set credentials, many of which are hard-coded.
• Hard-coded credentials have featured in several high-profile attacks, underscoring their relevance in the CWE Top 25 list.

Case Studies

1. Mirai Botnet (2016)
   
   The infamous Mirai botnet exploited IoT devices with hard-coded credentials, amassing a network of compromised devices to launch DDoS attacks.
   
2. Code Repository Leaks
   
   Developers inadvertently push code with embedded credentials to public repositories such as GitHub, giving attackers easy access.
   

Real-World Cyber Incidents Involving CWE-798: Use of Hard-coded Credentials

CWE-798, the use of hard-coded credentials, is a vulnerability that has played a significant role in numerous high-profile cyber incidents. Below are examples that highlight the critical impact of this weakness on organisations, software systems, and end-users.

1. Mirai Botnet Attack (2016)

Overview:

The Mirai botnet is one of the most infamous examples of how hard-coded credentials can be exploited. The malware targeted Internet of Things (IoT) devices such as routers, IP cameras, and DVRs.

Exploit:

• Many IoT devices shipped with factory-set, hard-coded credentials (e.g., “admin:admin”).
• The malware scanned the internet for devices still using these default credentials.
• Once compromised, devices were added to the botnet.

Impact:

• The botnet orchestrated massive DDoS attacks, including the one on Dyn DNS, which disrupted major services like Twitter, Netflix, and Reddit.
• The incident highlighted the dangers of hard-coded credentials in IoT devices and prompted changes in device security standards.

2. Uber Data Breach (2016)

Overview:

In 2016, Uber suffered a significant data breach where the personal information of 57 million users and drivers was exposed.

Exploit:

• The attackers accessed Uber’s GitHub repository, which contained hard-coded AWS credentials.
• Using these credentials, they accessed Uber’s AWS S3 storage buckets, stealing sensitive data.

Impact:

• Uber paid a $148 million fine as part of a settlement with US regulators.
• The breach damaged Uber’s reputation and emphasised the need for secure credentials management.

3. Tesla Kubernetes Cluster Breach (2018)

Overview:

Attackers exploited Tesla’s Kubernetes administration console, which was left unsecured and exposed to the internet.

Exploit:

• The console contained hard-coded AWS credentials, allowing attackers to access sensitive data and resources.
• The breach also enabled attackers to use Tesla’s cloud infrastructure for cryptocurrency mining (cryptojacking).

Impact:

• Tesla incurred operational disruptions and costs related to incident response and securing their infrastructure.
• The breach highlighted the risks of embedding credentials in configuration files or exposed systems.

4. SolarWinds Supply Chain Attack (2020)

Overview:

The SolarWinds Orion software supply chain attack impacted thousands of organisations, including US government agencies and Fortune 500 companies.

Exploit:

• Hard-coded credentials in SolarWinds products were identified during the investigation.
• A critical password (“solarwinds123”) was embedded in the code and leaked in a public GitHub repository.

Impact:

• The attack allowed nation-state actors to infiltrate sensitive networks globally.
• The incident underscored the systemic risks posed by hard-coded credentials in widely used software.

5. Fortinet VPN Vulnerability Exploitation (2021)

Overview:

Fortinet, a cybersecurity solutions provider, faced scrutiny after attackers exploited a VPN vulnerability.

Exploit:

• Multiple Fortinet devices were found to use hard-coded credentials for administrative access.
• Attackers leveraged these credentials to gain access to corporate networks.

Impact:

• Sensitive organisational data was exposed in several incidents.
• It prompted Fortinet to issue patches and alerts, urging administrators to update their systems and change default credentials.

6. SonicWall Email Security Appliance Breach (2021)

Overview:

In 2021, SonicWall disclosed that its Email Security Appliance contained hard-coded credentials.

Exploit:

• Attackers could use these credentials to access and compromise the appliance.
• This vulnerability allowed for potential exploitation, including unauthorised access to sensitive email data.

Impact:

• SonicWall had to release urgent patches, and organisations faced significant downtime to secure their systems.
• The incident highlighted the persistence of CWE-798 in enterprise-grade solutions.

7. IoT Camera Vulnerabilities (2022)

Overview:

Security researchers discovered multiple IoT camera brands shipping devices with hard-coded credentials.

Exploit:

• These credentials were often poorly documented or hidden, giving attackers backdoor access.
• Cameras compromised via this method were used in espionage and privacy invasion incidents.

Impact:

• Consumer trust in IoT security plummeted.
• Regulatory bodies began pushing for stricter security standards, including banning hard-coded credentials.

8. Okiru and Satori Botnets

Overview:

Variants of the Mirai botnet, such as Okiru and Satori, continued exploiting hard-coded credentials in IoT devices.

Exploit:

• Devices with default, hard-coded usernames and passwords were scanned and added to botnets.
• These botnets were used in cyberattacks on critical infrastructure and cryptojacking campaigns.

Impact:

• The attacks disrupted essential services and highlighted vulnerabilities in IoT ecosystems.
• Governments and industry leaders were forced to reassess IoT security practices.

Lessons Learned

These incidents underline the devastating consequences of using hard-coded credentials. From supply chain attacks to IoT vulnerabilities, CWE-798 is a recurring theme in cyber breaches. Addressing this issue is not just a technical responsibility but a business imperative, requiring proactive measures from developers, architects, and executives alike.

Real-world Implications

For Software Developers and Architects

• Technical Debt: Hard-coded credentials increase long-term maintenance challenges and technical debt.
• Compliance Risks: Violations of GDPR, CCPA, or other data protection regulations can occur if hard-coded credentials lead to breaches.
• Reputation Damage: Security incidents erode client trust and tarnish an organisation’s reputation.

For Businesses

From a C-Suite perspective:

• Financial Loss: A single breach due to hard-coded credentials can cost millions in damages and fines.
• Operational Disruption: Compromised systems may lead to downtime, affecting service delivery and revenue.
• Investor Confidence: Persistent vulnerabilities reflect poorly on governance and can deter investors.

Identifying Hard-coded Credentials

Static Code Analysis

Tools such as SonarQube, Checkmarx, or Veracode can scan source code repositories for patterns resembling credentials.

Manual Code Review

Although labour-intensive, manual reviews can uncover instances where automated tools might fail, especially in custom logic.

Dynamic Testing

Penetration testing and dynamic application security testing (DAST) can simulate real-world scenarios to identify vulnerabilities.

Mitigation Strategies

Secure Coding Practices

Environment Variables: Store credentials in environment variables instead of embedding them in code. For example:

import os

password = os.getenv(“DB_PASSWORD”)

2. Configuration Files: Use encrypted configuration files with restricted access. Ensure these files are excluded from version control.
   
3. Secrets Management Tools: Leverage tools like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault to securely store and retrieve credentials.
   

Token-based Authentication

Replace static credentials with token-based systems, such as OAuth, which allow granular and revocable access controls.

Regular Rotation

Establish automated processes to rotate credentials periodically, minimising the impact of any potential exposure.

Educating Developers

Provide ongoing training and workshops to ensure teams are aware of secure coding practices and understand the risks associated with hard-coded credentials.

Architectural Considerations

Shift-Left Security

Incorporate security practices early in the software development lifecycle (SDLC). This approach ensures vulnerabilities like hard-coded credentials are caught during development rather than after deployment.

Zero Trust Architecture

Adopt a zero-trust model where access to resources is dynamically verified based on multiple factors rather than relying solely on static credentials.

Logging and Monitoring

Implement robust logging mechanisms to detect unauthorised access attempts. Use SIEM (Security Information and Event Management) tools to analyse patterns and alert on anomalies.

Business Impact and ROI of Addressing CWE-798

Risk Mitigation

By eliminating hard-coded credentials, businesses can significantly reduce their exposure to cyberattacks, ensuring compliance with regulatory standards and protecting intellectual property.

Cost Efficiency

Investing in secure development practices upfront saves costs associated with breach remediation, legal fees, and brand damage.

Competitive Advantage

Organisations that prioritise security often enjoy higher client trust and loyalty, differentiating themselves in competitive markets.

Practical Tips for Developers and Architects

1. Automate Scanning: Integrate static code analysis tools into CI/CD pipelines to catch hard-coded credentials before deployment.
2. Version Control Hygiene: Add sensitive keywords to .gitignore files and utilise tools like GitHub Advanced Security for secret scanning.
3. Use API Gateways: Protect APIs with gateways that handle authentication, reducing the need for credentials in code.
4. Collaboration: Foster collaboration between security teams and developers to ensure vulnerabilities are addressed effectively.

Table: Tools Comparison

Risk Mitigation Strategies for CWE-798: Use of Hard-coded Credentials

Mitigating the risks associated with CWE-798 requires a multifaceted approach that integrates secure development practices, robust architecture, and vigilant maintenance. Below, we outline key strategies to effectively eliminate the use of hard-coded credentials in software systems.

1. Secure Secrets Management

Secrets management tools provide a centralised and secure way to handle credentials. By leveraging these tools, developers can avoid embedding credentials in the source code.

Recommended Tools:

• HashiCorp Vault: Manages secrets dynamically and ensures access control.
• AWS Secrets Manager: Offers seamless integration for cloud-native applications.
• Azure Key Vault: Ensures secure storage and management of credentials within the Azure ecosystem.

Benefits:

• Dynamic secrets: Credentials can be generated and revoked on demand.
• Access control: Role-based access ensures only authorised entities can retrieve secrets.

2. Use Environment Variables

Storing credentials in environment variables keeps them separate from the source code, reducing the likelihood of accidental exposure.

Implementation Example (Python):

import os

database_password = os.getenv(“DB_PASSWORD”)

Best Practices:

• Use .env files for local development and add them to .gitignore to prevent accidental commits.
• In production, configure environment variables at the system level or through orchestration tools like Docker and Kubernetes.

3. Token-Based Authentication

Replacing static credentials with token-based systems significantly enhances security. Tokens are time-bound and context-specific, minimising the risk of misuse.

Common Implementations:

• OAuth 2.0: A widely adopted framework for delegated access.
• JWT (JSON Web Tokens): Encodes claims and is used for secure communication.

Benefits:

• Revocability: Tokens can be invalidated at any time.
• Granularity: Access can be restricted to specific resources or actions.

4. Credential Rotation

Regularly rotating credentials ensures that even if they are compromised, their validity is limited.

Automation Tools:

• AWS IAM Access Analyzer: Automates key rotation in AWS environments.
• HashiCorp Vault: Dynamically rotates secrets and revokes them as needed.

Recommendations:

• Set policies to rotate keys, passwords, and tokens automatically.
• Monitor usage to detect stale or unused credentials.

5. Static and Dynamic Code Analysis

Automated tools can identify hard-coded credentials in source code and binaries, enabling early detection and resolution.

Recommended Tools:

• SonarQube: Performs static code analysis and identifies vulnerabilities.
• Checkmarx: Offers both static and interactive application security testing (SAST and IAST).
• GitHub Advanced Security: Scans repositories for secrets during commit or push events.

Benefits:

• Continuous monitoring of codebases.
• Integration with CI/CD pipelines ensures vulnerabilities are addressed before deployment.

6. Educating Developers

Developers must be trained to understand the risks of hard-coded credentials and adopt secure coding practices.

Training Topics:

• Risks associated with CWE-798.
• Implementing secure authentication mechanisms.
• Using secrets management tools effectively.

Implementation:

• Conduct regular workshops and webinars.
• Provide access to learning platforms like OWASP and Secure Code Warrior.

7. Shift-Left Security

Incorporate security considerations early in the software development lifecycle (SDLC). This reduces the cost of addressing vulnerabilities and improves overall security posture.

Tactics:

• Embed security tools in IDEs (e.g., JetBrains or Visual Studio Code).
• Include security requirements in user stories and acceptance criteria.

Benefits:

• Early detection and resolution of vulnerabilities.
• Fewer security issues post-deployment.

8. Implement Zero Trust Principles

Adopting a zero trust architecture ensures that every request is verified, irrespective of its origin. This makes it harder for attackers to exploit credentials.

Core Principles:

• Continuous verification of users and devices.
• Least privilege access.
• Multi-factor authentication (MFA) for sensitive operations.

Tools and Frameworks:

• Google’s BeyondCorp for enterprise-grade zero trust implementation.
• Azure Active Directory for seamless integration with zero trust principles.

9. Logging and Monitoring

Implement robust logging and monitoring to detect unauthorised access or misuse of credentials.

Recommended Practices:

• Use SIEM (Security Information and Event Management) tools like Splunk or ELK Stack to aggregate and analyse logs.
• Set up alerts for failed login attempts or suspicious activity.

Benefits:

• Real-time detection of potential breaches.
• Forensic capabilities to investigate incidents.

10. Establish Secure Deployment Pipelines

Secure CI/CD pipelines ensure that credentials are not exposed during the build or deployment process.

Best Practices:

• Use tools like Jenkins, GitLab CI/CD, or Azure DevOps with secret masking features.
• Store build-time secrets in secure vaults accessible only during deployment.

11. Regulatory and Compliance Alignment

Adhering to regulatory standards not only ensures compliance but also mitigates risks associated with hard-coded credentials.

Examples:

• GDPR and CCPA: Require organisations to safeguard personal data, which may be exposed through poor credential management.
• NIST Cybersecurity Framework: Provides guidelines on secure access control and credential handling.

12. Adopt Secure Defaults

Ensure all systems and software components are configured with secure defaults to minimise reliance on credentials.

Examples:

• Disable default accounts and passwords in devices before deployment.
• Implement certificate-based authentication where feasible.

13. Regular Penetration Testing

Penetration testing simulates real-world attacks to identify and resolve vulnerabilities related to CWE-798.

Benefits:

• Uncovers vulnerabilities missed during development.
• Validates the effectiveness of implemented mitigation measures.

Tools:

• Burp Suite for web application penetration testing.
• Metasploit for simulating exploitation scenarios.

Risk Mitigation

Mitigating CWE-798 requires a proactive and systematic approach that combines technology, processes, and awareness. For software developers and architects, adopting these risk mitigation strategies not only protects systems but also aligns with business goals such as regulatory compliance, risk reduction, and operational resilience.

By implementing these practices, organisations can strengthen their security posture, reduce the likelihood of credential-related breaches, and foster trust among stakeholders. Security is not an afterthought—it is a fundamental enabler of sustainable innovation and growth.

Final Thoughts

The “Use of Hard-coded Credentials” (CWE-798) is a persistent vulnerability with far-reaching consequences. For software developers and architects, addressing this weakness is not merely a technical task but a strategic imperative. By adopting secure coding practices, leveraging secrets management tools, and fostering a culture of security, organisations can mitigate risks effectively.

For the C-suite, investing in proactive measures to eliminate CWE-798 aligns with broader goals of risk reduction, regulatory compliance, and value creation. Security is no longer a cost centre but a pivotal enabler of business continuity and growth.

By taking the insights from this article to heart, software professionals can safeguard systems, protect data, and build resilient, future-ready applications.