A software development team is conducting functional and user acceptance testing of internally developed web applications using a COTS solution.
For automated testing, the solution uses valid user credentials from the enterprise directory to authenticate to each application.
The solution stores the username in plain text and the corresponding password as an encoded string in a script within a file, located on a globally accessible network share.
The account credentials used belong to the development team lead.
To reduce the risks associated with this scenario while minimizing disruption to ongoing testing, which of the following are the BEST actions to take? (Choose two.)
Click on the arrows to vote for the correct answer
A. B. C. D. E.AB.
The scenario described poses several risks, including unauthorized access to the plain text username and the encoded password, as well as the potential for compromise of the development team lead's account. To mitigate these risks while minimizing disruption to ongoing testing, the best actions to take are:
A. Restrict access to the network share by adding a group only for developers to the share's ACL: By restricting access to the network share, only authorized developers will be able to access the file containing the encoded password. This will reduce the risk of unauthorized access and compromise of the password. Adding a group for developers to the share's access control list (ACL) will ensure that only authorized personnel can access the share. This action is relatively easy to implement and does not require significant changes to the current setup.
B. Implement a new COTS solution that does not use hard-coded credentials and integrates with directory services: Implementing a new COTS solution that integrates with directory services will eliminate the need for hard-coded credentials and improve security. This solution will allow the software development team to use their enterprise directory credentials for authentication instead of the hard-coded credentials. This action will require significant changes to the current setup and may cause disruption to ongoing testing. However, it will provide a more secure solution in the long term.
C. Obfuscate the username within the script file with encoding to prevent easy identification and the account used: Obfuscating the username within the script file will make it harder for attackers to identify the account used for authentication. However, this action alone does not provide sufficient security as the encoded password can still be compromised. Moreover, obfuscation can be easily circumvented by attackers with sufficient skills. Therefore, this action should be combined with other security measures to provide a more comprehensive solution.
D. Provision a new user account within the enterprise directory and enable its use for authentication to the target applications. Share the username and password with all developers for use in their individual scripts: Provisioning a new user account and sharing the username and password with all developers for use in their individual scripts will increase the risk of compromise of the account and is not recommended. This action violates the principle of least privilege and may lead to unauthorized access to the applications.
E. Redesign the web applications to accept single-use, local account credentials for authentication: Redesigning the web applications to accept single-use, local account credentials for authentication will increase security. However, this action may require significant changes to the application code and may cause disruption to ongoing testing. Therefore, it may not be the best option to minimize disruption while addressing the security risks in the short term.
In conclusion, the best actions to take to reduce the risks associated with the scenario while minimizing disruption to ongoing testing are A and B. By restricting access to the network share and implementing a new COTS solution that integrates with directory services, the software development team can improve security and reduce the risk of unauthorized access and compromise of account credentials.