Fixing Connection String Exposed in String Analysis

When connection strings appear during string analysis of a .NET thick client, it's often due to
the way the application handles sensitive information, which can leave the connection string
exposed in the compiled binary. Here’s why this happens:

Hardcoded Strings in Code:

If the connection string is hardcoded directly into the application code (e.g., string connString
= "Server=myserver;Database=mydb;User Id=myuser;Password=mypassword";), it will be
embedded in the application binary. During compilation, the .NET runtime doesn't modify or
obfuscate these strings, so they remain intact in the resulting executable file. String analysis
tools or simple reverse engineering can retrieve them.

Lack of Encryption in Configuration Files:

Connection strings are often stored in configuration files, like App.config or appsettings.json. If
these files are not encrypted, any user with access to the machine or file can easily read the
connection strings in plain text.

Recommendations

Environment-Specific Configuration

Move Connection Strings to Config Files: Use environment-specific configuration files (e.g.,
appsettings.json for .NET Core or App.config for older .NET Framework versions) rather than
hardcoding connection strings within the application code. This reduces the risk of accidental
exposure through code.

Encryption of Configuration Files

Encrypt Configuration Sections: Use .NET's built-in tools like ProtectedConfigurationProvider

to encrypt sensitive sections within the configuration file. For example:

aspnet_regiis -pef "connectionStrings" path\to\configFile

This approach works well in scenarios where the application runs on trusted machines with a
known decryption key.

Using Secure Vaults or Secrets Management

Store Secrets in a Secure Vault: Use a secrets management solution like Azure Key Vault,
AWS Secrets Manager, or HashiCorp Vault to manage and retrieve connection strings securely.
The application can retrieve these at runtime without storing them directly.

Configuration of Secure Access: Set up role-based access control (RBAC) or managed

identities to ensure only authorized users or systems can retrieve these secrets.
Application-Level Encryption for In-Memory Strings

Encrypt Sensitive Information in Memory: For further security, implement in-memory

encryption/decryption routines to handle connection strings and other sensitive data within
the application. This minimizes exposure to memory-dumping attacks.

SecureString Class Usage: Where possible, use SecureString in .NET, which provides better
in-memory protection for sensitive strings.