I have an application that has an image upload feature, the images are stored on a 3rd party service which is basically an SFTP server. The credentials for accessing this storage were initially hard-coded in the java service class itself, and to secure it, I am planning to keep the SFTP server credentials in a password vault(CyberArk) and then retrieve the credential programmatically (when the application starts up) using the cyberArk REST API and certificate auth method. After retrieving the credentials from the vault, I plan to keep the password in memory and use it for subsequent communication with the SFTP server. Is this the correct approach? Or will this still be a security risk?
Note1: this is a Java Struts2 application and deployed as a war on JBoss server.
Note2: I read in some places that its safer to use char array instead of a string to store a password, but not sure if that is enough.
If someone has access to perform a memory dump (java heap dump or OS-level dump) they can get the password. This is true if you store it as a string and if you store it as a character array.
A character array is better because you can clear the data (set the characters in the array to 0 or some other value) when you are done with it to get rid of the sensitive values. However, if you have obtained the password with a REST call there may well be a string with it somewhere already, so this may just provide a false sense of security.
On the other hand, if someone can dump your memory to get the cached password they can probably obtain the credentials for calling the cyberArk API as well? So you may be better served focusing on locking down the server and keeping the password cached. Your call, really.