Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Revising 'Insecure Data Storage' Subcategories
See original GitHub issue‘Insecure Data Storage’ category seems to have some redundancy that could be eliminated:
Insecure Data Storage->Credentials Stored Unencrypted->On External Storage
Insecure Data Storage->Credentials Stored Unencrypted->On Internal Storage
Insecure Data Storage->Sensitive Application Data Stored Unencrypted->On External Storage
Insecure Data Storage->Sensitive Application Data Stored Unencrypted->On Internal Storage
‘Credentials Stored Unencrypted’ and ‘Sensitive Application Data Stored Unencrypted’ subcategories having identical variants could be replaced by ‘Secrets Stored Unencrypted’
Insecure Data Storage->Secrets Stored Unencrypted->On External Storage
Insecure Data Storage->Secrets Stored Unencrypted->On Internal Storage
In addition to that let’s look into Insecure Data Storage->Insecure Data Storage->Password (P2) as the classification and purpose of this entry seem to be unclear.
All feedback is welcome
Issue Analytics
- State:
- Created 6 years ago
- Comments:7 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
“Secrets” is a pretty widely-used term in this context (at least in the infrastructure world when referring to things like passwords and various other bits of sensitive information passed to an application at runtime), so I’m personally ok with its usage here.
We distinguish internal(P5)/external(P4) storage based on how sensitive data can be accessed by a 3rd party e.g. a malicious app. Those specific entries do not relate well to web, server side being internal storage. Generally issues that require chaining are seen as best practices or low risk. In cases where we don’t have designated entries, issues are triaged at the ASE’s discretion. We do welcome any ideas for new entries/solutions though. We’ll make sure to discuss those internally. Outdated hashing algorithm or weak salts might be considered valid on a case by case basis, we also give the customers a chance to review best practices issues and consult the risk with the ASE.