# 200-901 — Question 428

**Type:** multiple_choice
**Topics:** topic_1

## Question

A developer pushes an application to production. The application receives a webhook over HTTPS without a secret. The webhook information contains credentials to service in cleartext. When the information is received, it is stored in the database with an SHA-256 hash. Credentials to the database are accessed at runtime through the use of a vault service. While troubleshooting, the developer sets the logging to debug to view the message from the webhook. What is the security issue in this scenario?

## Correct Answer

_See scenario._

## Explanation

Selected Answer: B
This is tricky. It seems that all aspects of security are valid until debugging happens. When the webhook is sent, even though the creds are in plain text in the data payload, the transmission is encrypted with HTTPS. Then those creds are stored in with a secure hash. Then they're accessed with a vault service. The only insecure part is the debugging. When the debugging happens, you can see the user/pass in the debugging logs. Technically, that makes B correct, as the logging is done after the HTTPS is decrypted, but it also makes C correct. However, the question asks what the issue is, not what the solution is. Answer C is a solution, not the issue, so I'm going with B.

**Reference:** examtopics_top_comment

---
Source: https://hiexam.net/q/cisco/200-901/428  
Practice (tracked): https://hiexam.net/study/200-901/practice