How to address container manager password management findings

Question

My application (or microservice etc.) relies on the container manager to replace passwords when deployed to production but Fortify is flagging this as an issue. How do I address this?

Answer

To show that passwords used by an application are managed securely the following criteria must be met:

• Requirement: The developer will need to provide documentation[1] that attests:
  • The container hosting the application was instantiated using authorized[2] infrastructure configuration files, DevSecOps tool configuration scripts, and/or application run-time configuration scripts to ensure that the container data in question is protected from unauthorized access.
  • Required system security monitoring and system configuration monitoring is being performed to ensure that passwords used by an application running in a container are protected from unauthorized access.
• Requirement: Any sensitive data such as passwords or keys should be encrypted and managed using for example Kubernetes secrets functionality[3] [4]
  • Secrets must not be stored in container environment variables
  • The developer must identify the secrets management technology used

[1] There are no specific presentation or content requirements for the above attestation documentation, aside from addressing the specific technical concerns.

[2] The VA office or organizational entity that provided the authorization must be identified in the attestation.

[3] This particular notional example’s functionality may not be sufficient based on project or ATO needs.

[4] The specific solution used for secrets management must be identified in the attestation or in a readme file.