What are Cryptographic Failures
Cryptographic Failures also known as lack of cryptography lead to exposure of sensitive data. Notable Weakness Enumerations included are CWE-259: Use of Hard-coded Password, CWE-237: Broken or Risky Crypto Algorithm, and CWE-331 Insufficient Entropy.
First of all, we need to determine what data need protection.
What are Cryptographic Failures Cryptographic Failures also known as lack of cryptography lead to exposure of sensitive data. Notable Weakness Enumerations included are CWE-259: Use of Hard-coded Password, CWE-237: Broken or Risky Crypto Algorithm, and CWE-331 Insufficient Entropy.
First of all, we need to determine what data need protection. For instance, passwords, credit card numbers, health records, personal information, and business secrets. All these data need an extra layer of security.
Here are the most important things to consider: What data need protection while avoiding cryptographic failures Do not send data in clear text format. Avoid such protocols as HTTP, SMTP, and FTP. They have to be used with TLS protection. Pay attention to internal traffic between load balancers, web servers, or back-end systems.
Ensure that your applications don’t use any old or weak cryptographic protocols.
Generate strong cryptographic keys and avoid reusing them. Implement proper key management and rotation. Crypto keys shouldn’t be stored in code repositories.
Validate properly server certificate and the trust chain.
Use passwords only where cryptographic keys can not be used.
Do not use weak hash functions such as MD5 or SHA1. Recommendations on how to prevent cryptographic failuresHow to prevent Cryptographic Failures This list of recommendations is a minimum requirement.
All data processed, stored, or transmitted by application have to be classified. Distinguish sensitive data according to privacy laws, regulatory requirements, or business needs.
Minimize sensitive data. Discard unnecessary data or use PCI DSS-compliant tokenization.
Use only up-to-date and strong standard algorithms and protocols.
Encrypt the transition of all data by using TLS protocols. Enforce encryption using HTTP Strict Transport Security.
Do not cache responses containing sensitive data.
Store passwords using strong adaptive and salted hashing functions. For instance, scrypt, bcrypt, Argon2.
In cases where Initialization Vectors are used, generate them with a Cryptographically secure pseudo-random number generator (CSPRNG).
Always use authenticated encryption instead of just encryption.
Do not use deprecated cryptographic functions and padding schemes. For instance, MD5, SHA1, PKCS number 1 v1.5.
For more information visit OWASP Top 10 Website Link