Question

A software development team is conducting functional and user acceptance testing of internally developed web applications using a COTS solution. For automated testing, the solution uses valid user credentials from the enterprise directory to authenticate to each application. The solution stores the username in plain text and the corresponding password as an encoded string in a script within a file, located on a globally accessible network share. The account credentials used belong to the development team lead.

To reduce the risks associated with this scenario while minimizing disruption to ongoing testing, which of the following are the BEST actions to take? (Choose two.)

A. Restrict access to the network share by adding a group only for developers to the share's ACL
B. Implement a new COTS solution that does not use hard-coded credentials and integrates with directory services
C. Obfuscate the username within the script file with encoding to prevent easy identification and the account used
D. Provision a new user account within the enterprise directory and enable its use for authentication to the target applications. Share the username and password with all developers for use in their individual scripts
E. Redesign the web applications to accept single-use, local account credentials for authentication

Answer 1

To minimize risks, the software development team should restrict access to the network share with the ACL, and provision a separate testing account with limited permissions to replace the use of the lead developer's credentials.

Step-by-step explanation:

The scenario you’ve described involves a software development team conducting functional and user acceptance testing for web applications, using a Commercial Off-The-Shelf (COTS) solution with hard-coded credentials. To minimize risk while continuing testing effectively, you should consider two approaches:Restrict access to the network share by modifying the Access Control List (ACL) to include only a specific group of individuals who need access to the test scripts, like developers.Create and provision a dedicated test user account that has the minimum necessary permissions to perform the testing actions. This account should not be a lead developer’s account or have extensive access rights within the enterprise directory.

It is essential to avoid using personal user credentials for automated testing and instead use an account designated for testing purposes. Additionally, since the username is less sensitive than the password, obfuscating the username is not as critical as protecting the password; therefore, encoding the username is not a recommended approach. Integrating testing with directory services might be a long-term solution but would not be considered a minimally disruptive action in the short term. Furthermore, redesigning web applications to accept single-use credentials offers higher security but may also be disruptive and time-consuming. Hence, the best actions are to restrict network share access and provision a new test user account.