The security issue when use C# in SSIS Script Task

Question

I use C# in SSIS Script Task to read SQL server database and then send out JSON to WEB API via HTTP request. So the C# should open database. I use below connection string in the C#

SqlConnection cn = new SqlConnection("server=xxxx;Initial Catalog=xxxx;User ID=abc;Password=abc");

The username password are hard-coded in C#. And the database username password may be changed by admin when I give the whole SSIS project to him to do go-live. I want to know what is the best practice to save this kind of sensitive information. The requirement is that nobody (except admin) should know the username password in Production.

I know in SSIS, we can use project parameters to save some values. But if I save the password as project parameters, people who can see the SSISDB can see the parameter values. So is it better to ask admin to go into the Script Task to change the username password in the C# code?

Answer 1

My suggestion would be to look at the Package Configurations in SSIS.

SQL Server Integration Services provides package configurations that you can use to update the values of properties at run time.

Also, as explained in the Notes above, depending on your deployment model, you can look at Parameters

Configurations are available for the package deployment model.

Parameters are used in place of configurations for the project deployment model.

This provides flexibility in changing the values at run time.

Answer 2

First you can use Obfuscation to protect your code and sensitive information.

Second, don't ever store your database password / username in the final product !!! You can easily create an API that can access to the database and make API calls from your application without storing the password in the product.

Simple example: https://medium.com/voobans-tech-stories/how-to-quickly-create-a-simple-rest-api-for-sql-server-database-7ddb595f751a