How to prevent heap inspection for password in ASP.NET?

Question

1.00/5 (2 votes)

See more:

I have a parameter with name string password
While scan using checkmarx the password keyword is found as heapInspection in
could you please suggest how to fix this

What I have tried:

SecureString password=new SecurePassword();

foreac(char c in ConfigPassword)
{
password.Add(c);
}
password.Dipose();

but the actual password is not getting is i use this?
Could you please sugegst better approach for this issue

Posted 4-Mar-21 22:34pm

Member 15090354

Updated 4-Mar-21 23:51pm

Add a Solution

Comments

Chris Copeland 5-Mar-21 5:02am

May I ask why you think this would be necessary? In theory an ASP.NET server would be running on a non-client machine, probably a server somewhere within the infrastructure of the business. Your application code shouldn't be exposed to users, only to administrators maintaining the software, who would probably have access to the password stored in a configuration file?

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

#realJSOP · Answer 1 · 2021-03-04T23:51:00

Solution 1

If the password is actually encrypted, you can mitigate the reported item by pointing that out.

You can probably skirt that reported issue entirely by calling it something other than "password". We use "TheP" to avoid problems from a similar scanning tool.

Posted 4-Mar-21 23:51pm

#realJSOP

v2