1

I'm part of a Java Spring Web app which should be very secure. So far, on test environment we're loading database username & password from a property file which lies on classpath. The password is encrypted with a key which we load from local file system.

My job is to find a better way(more secure one) using software tools only. I was thinking about supplying the db username and password on startup of webapp or smth like that(But still does not seem ok because the DB admin should be present on startup). Other than that I'm stuck.

What is the best way to deal with this issue?

braincell
  • 562
  • 1
  • 13
  • 26
  • http://docs.oracle.com/javase/6/docs/api/java/security/KeyStore.html try java's keystore. i've read a couple of times about it and i guess it might be helpful. i never used it though – tagtraeumer Nov 12 '12 at 15:10
  • If you do not want to store it on the same machine, you can always create a remote service from which you can read the credentials. You can access that service using an encrypted channel (say SSL). – ShyJ Nov 12 '12 at 15:19
  • Wouldn't the same consideration apply to the credentials for accessing the service and decrypting its response? – Patricia Shanahan Nov 12 '12 at 15:33
  • 1
    To think about this problem constructively, I think you have to be a lot more explicit about your constraints (e.g. what do you mean by "secure" and "software tools"?). What attacks you need to be safe from, and what tools do you have available? – Dave Syer Nov 12 '12 at 16:09

1 Answers1

0

You need to lock down the database so that only the app can talk to it with minimal creds as possible.

One way is restrict it so that only app servers private IP is only accepted. Make it so the database only listens to private (internal) network connections.

The password is a red herring.

Adam Gent
  • 47,843
  • 23
  • 153
  • 203