I have a class in the code that does some sort of encryption, and to do so there is a hardcoded key in the code. After reviewing the code by a security expert, he raised this as an issue, highliting that keys should not be hardcoded in the code. Noting that this code resides on the server, I see no risk in having the secret code. From a security point of view is it really an issue? And if I want to remediate this, what can I do instead of a hardcoded key ? (other than using secret management solution)
Asked
Active
Viewed 12 times
0
-
"From a security point of view is it really an issue?" - this depends on how likely a compromise of the key is (i.e. someone hacking your server, checking in your code with the key somewhere, ...) and how much impact a compromise of the key has. - nothing of this is known. Just because the key is hardcoded in the code on the server neither means that it is safe nor that it is unsafe - but that's all you give as information. – Steffen Ullrich Aug 08 '23 at 15:12