Page 10 of
Custom FxCop Rule - Do not store passwords in variables in code
It is not secure to store security credentials such as user Ids or passwords in
code, especially in constants or literals where their values can be obtained by
looking at an assembly's intermediate language. There is no definitive way to
know if security credentials are stored in source code but we can infer this by
looking at the names of the variables and constants used.
If you create a small VB or C# program with a few local or module level
variables or literals, build the code, then look at the IL, you can plainly see
the names of the variables. The following FxCop rule does just this by calling
the Check method for each method and looking at
the method's LocalList of variables. If any of
them contain the word 'user' or 'password' in their name, we can infer they
hold sensitive data. However, this is no guarantee, that's way this rule's
certainty level is set lower.
C# code for custom FxCop rule:
// Enforces the rule of not storing database credentials in module
// level or local fields. This rule looks for variables and constants
// that contain the word "user" or "password".
// Because the rule doesn't discern how these fields are used, the
// rule's certainty is set to a lower value.
public class DoNotKeepDBCredentialsInVariables : BaseMigrationIntrospectionRule
public DoNotKeepDBCredentialsInVariables() : base("DoNotKeepDBCredentialsInVariables")
public override ProblemCollection Check(Member member)
// Check Member Variables.
// Found an offending member variable.
// Look at local variables.
Method method = member as Method;
if (method == null)
LocalList list = null;
if (method.Instructions.Length > 0)
list = method.Instructions.Value as LocalList;
if (list != null)
for (int i = 0; i < list.Length; i++)
Local local = list[i];
// Found an offending local variable.
private bool ContainsUserOrPasswordInName(string variableName)
variableName = variableName.ToUpper();
if (variableName.Contains("USER") || variableName.Contains("PASSWORD"))
Rule definition in the XML rules file:
Do not store security credentials in variables
Do not store security credentials in module level or local variables
Do not store security credentials in module level or local variables. Variables with the
word 'user' or 'password' in their name have been found. It is not secure to store
credential information in variables.
Page 10 of