The application must not contain embedded authentication data.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-222642	SRG-APP-000516	APSC-DV-003110	SV-222642r961863_rule	2025-02-12	6

Description
Authentication data stored in code could potentially be read and used by anonymous users to gain access to a backend database or application servers. This could lead to compromise of application data.

ℹ️ Check
Review the application documentation and any available source code; this includes configuration files such as global.asa, if present, scripts, HTML files, and any ASCII files. Identify any instances of passwords, certificates, or sensitive data included in code. If credentials were found, check the file permissions and ownership of the offending file. If access to the folder hosting the file is not restricted to the related application process and administrative users, this is a finding. The finding details should note specifically where the offending credentials or data were located and what resources they enabled.

ℹ️ Check

Review the application documentation and any available source code; this includes configuration files such as global.asa, if present, scripts, HTML files, and any ASCII files. Identify any instances of passwords, certificates, or sensitive data included in code. If credentials were found, check the file permissions and ownership of the offending file. If access to the folder hosting the file is not restricted to the related application process and administrative users, this is a finding. The finding details should note specifically where the offending credentials or data were located and what resources they enabled.

✔️ Fix
Remove embedded authentication data stored in code, configuration files, scripts, HTML file, or any ASCII files.