How to address container manager password management findings

Question

My application (or microservice etc.) relies on the container manager to replace passwords when deployed to production but Fortify/CodeQL/Snyk is flagging this as an issue. How do I address this?

Answer

To show that passwords used by an application are managed securely the following criteria must be met:

• Requirement: The developer will need to provide documentation[1] that attests:
  • The container hosting the application was instantiated using authorized[2] infrastructure configuration files, DevSecOps tool configuration scripts, and/or application run-time configuration scripts to ensure that the container data in question is protected from unauthorized access.
  • Required system security monitoring and system configuration monitoring is being performed to ensure that passwords used by an application running in a container are protected from unauthorized access.
• Requirement: Any sensitive data such as passwords or keys should be encrypted and managed using for example Kubernetes secrets functionality[3] [4]
  • Secrets must not be stored in container environment variables
  • The developer must identify the secrets management technology used

[1] There are no specific presentation or content requirements for the above attestation documentation, aside from addressing the specific technical concerns.

[2] The VA office or organizational entity that provided the authorization must be identified in the attestation.

[3] This particular notional example’s functionality may not be sufficient based on project or ATO needs.

[4] The specific solution used for secrets management must be identified in the attestation or in a readme file.