Use of empty passwords and use of HTTP #18
Comments
akondasif
changed the title
|
I also found instances where the HTTP protocol is used instead of HTTPS (HTTP with TLS). According to the Common Weakness Enumeration organization this is a security weakness (https://cwe.mitre.org/data/definitions/319.html). I was wondering why HTTP is used? Is it because of lack of tool support? I am trying to find out if developers are forced to adopt bad practices due to lack of tool support when it comes to the HTTPS protocol. Maybe it is due to dependency on a resource that uses HTTP? Any feedback is appreciated. Source: https://github.com/poolski/puppet-beats/blob/master/manifests/repo/yum.pp (Line 11) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Greetings,
I am a security researcher, who is looking for security smells in Puppet scripts. I noticed instances of empty passwords. Empty passwords increase the guessability of passwords. The Common Weakness Organization (CWE) identifies use of empty passwords as a security weakness (https://cwe.mitre.org/data/definitions/258.html).
I suggest that to follow the strong password guidelines, and manage passwords with hiera.
Any feedback is appreciated.
Source: https://github.com/poolski/puppet-beats/blob/master/manifests/outputs/elasticsearch.pp
The text was updated successfully, but these errors were encountered: