Developing Applications and Automating Workflows Using Cisco Platforms (DEVASC) — Question 225

A developer pushes an application to production. The application receives a webhook over HTTPS without a secret. The webhook information contains credentials to service in cleartext. When the information is received, it is stored in the database with an SHA-256 hash. Credentials to the database are accessed at runtime through the use of a vault service. While troubleshooting, the developer sets the logging to debug to view the message from the webhook. What is the security issue in this scenario?

Answer options

• A. Database credentials should be accessed by using environment variables defined at runtime.
• B. During the transport of webhook messages, the credentials could be unencrypted and leaked.
• C. During logging, debugging should be disabled for the webhook message.
• D. Hashing the credentials in the database is not secure enough; the credentials should be encrypted.

Correct answer: B

Explanation

The security issue arises from the potential exposure of cleartext credentials during the transport of webhook messages, making option B the correct answer. Options A and D, while relevant to best practices, do not directly address the immediate risk of unencrypted data transmission. Option C highlights a concern about logging sensitive information but does not tackle the root issue of credential exposure during transport.