Using hardcoded IP addresses in code can reveal network details, making it easier for an attacker to analyze the application infrastructure.
For example, directly specifying the SSH server address creates a potential vulnerability:
public static final String SSH_SERVER_ADDRESS = "117.107.58.59"; void connect() { Socket socket = new Socket(SSH_SERVER_ADDRESS, 22); // .... }
When this code gets into the public domain or into the hands of an attacker, the internal infrastructure is no longer confidential.
This solution also binds the application to a specific environment, making it more difficult to configure and update.
Use external sources for secure storage of confidential parameters. For example, environment variables:
public static final String SSH_SERVER_ADDRESS = System.getenv("MYAPP.SSH_SERVER_ADDRESS"); void connect() { Socket socket = new Socket(SSH_SERVER_ADDRESS, 22); // .... }
This diagnostic is classified as: