APP134: Database Password Protection in Storage
Does the application protect/encrypt database connection strings (i.e., passwords) in local storage?
Guidance: Database connection strings contain authentication data and, therefore, must be encrypted in storage. Encrypted connection strings and encryption keys must be protected. The function of decrypting connection strings should not be a standalone utility to prevent the connection strings from being decrypted and displayed in the clear. Instead, it should be embedded into or fully integrated within the application.