ABSTRACT

Storing sensitive data in a String object makes it impossible to reliably purge the data from memory.

EXPLANATION

Sensitive data (such as passwords) stored in memory can be leaked if memory is not cleared after use. Often, Strings are used store sensitive data, however, since String objects are immutable, removing the value of a String from memory can only be done by the JVM garbage collector. The garbage collector is not required to run unless the JVM is low on memory, so there is no guarantee as to when garbage collection will take place. In the event of an application crash, a memory dump of the application might reveal sensitive data.

Example 1: The following code converts a password from a character array to a String.


private JPasswordField pf;
...
final char[] password = pf.getPassword();
...
String passwordAsString = new String(password);

REFERENCES

[1] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage

[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A8 Insecure Cryptographic Storage

[3] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A8 Insecure Storage

[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3230.2 CAT II

[5] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 226

[6] Standards Mapping - FIPS200 - (FISMA) IA

[7] L. Gong, G. Ellison, and M. Dageforde Inside Java 2 Platform Security: Architecture, API Design, and Implementation, 2nd ed. Addison-Wesley

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 3.4, Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 3.4, Requirement 6.5.3, Requirement 8.4

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 3.4, Requirement 6.5.8, Requirement 8.4

[11] M. S. Ware Writing secure Java code: taxonomy of heuristics and an evaluation of static analysis tools