Excessive Use of Hard-Coded Literals in Initialization
This weakness occurs when software initializes variables or data structures using hard-coded values (like strings, file paths, or network addresses) instead of configurable constants or parameters. While simple numbers or true constants are acceptable, embedding non-trivial literals directly in code creates maintenance and security risks.
Hard-coding values like database connection strings, API endpoints, cryptographic salts, or directory paths makes code rigid and difficult to update. When these values need to change—for instance, during deployment to a new environment or in response to a security incident—developers must search through and modify the source code directly, which is error-prone and time-consuming. This practice violates the principle of separating configuration from code. From a security perspective, this rigidity slows down vulnerability remediation and increases the chance of mistakes. If a hard-coded credential or insecure URL needs to be fixed, the change requires a full code modification and redeployment, rather than a simple configuration update. This delay can extend the window of exposure. Furthermore, the scattered, opaque nature of hard-coded values makes security reviews and audits more difficult, potentially allowing vulnerabilities to go unnoticed.
Impact: Reduce Maintainability
- OMG ASCMM