ISC2 CISSP Practice Question

The most serious flaw is hard-coded credentials in the application source code because credentials embedded in source code can be discovered through code repository access, decompilation, or if the code is leaked. This provides attackers with privileged access that is difficult to rotate or revoke, especially if the credentials are distributed with the application. Additionally, hard-coded credentials often represent a violation of the principle of least privilege and can persist across multiple environments.

Insufficient input validation is a serious issue that can lead to various attacks like SQL injection or XSS, but it typically requires an active exploitation attempt and can be mitigated through proper validation implementation. It's less severe than exposing credentials directly in the code.

**Lack of proper error handling **may leak sensitive information but typically doesn't directly grant access to the attacker. While important to fix, it generally presents less immediate risk than exposed credentials.

Using HTTP instead of HTTPS for an admin portal is a significant issue that could expose credentials during transmission, but it still requires an attacker to intercept the traffic in a man-in-the-middle scenario. Hard-coded credentials are more readily accessible to anyone who can view the source code.