top of page
Search

OWASP Topic — Cryptographic Failures

  • Writer: Jen C
    Jen C
  • 7 days ago
  • 2 min read

“Shifting up one position to #2, previously known as Sensitive Data Exposure, which is more of a broad symptom rather than a root cause, the focus is on failures related to cryptography (or lack thereof). Which often lead to exposure of sensitive data.”


Cleopatra is making an online purchase of a new sheath dress
Cleopatra is making an online purchase of a new sheath dress

When I think of cryptographic failures, my mind immediately pictures Cleopatra on her laptop. Close enough, right? For what it’s worth, cryptology really does originate from ancient Egypt. What is a cryptographic failure in the context of cybersecurity?


There are several possible scenarios that could unfold.








Credit card numbers are ideally encrypted in a database. We should never be able to see in clear text. A SQL injection flaw could display that information as clear as day. This data is considered at rest. It doesn’t have to be only credit card numbers. It could be passwords or other sensitive information. Either way, not good!


An attacker could hijack this information from a user if the site doesn’t enforce a Transport Layer Security (TLS) certificate (affectionately known as SSL or a digital certificate). This data is considered in-transit. These certificates ensure that sensitive information is encrypted by a cryptographic algorithm, rendering it

unreadable. These certificates should be enforced, validated, and not reused.

Another scenario involves unsalted hashes and passwords, which is a very detailed topic; you can read more about it here. Encryption and hashing are not the same thing; hashing makes it very difficult to decipher what the password could actually be. If a database stores passwords in a simple hash, it can be

deciphered and stolen.


How do we prevent a cryptographic failure? We first need to determine the level of protection for data that is at rest and data that is in transit. Resting data = stored data, whereas data en route or in-transit is currently being processed.


Here are some best practices:


1. Encrypt sensitive data that’s at rest AND in-transit.

2. Use strong encryption and keep it updated if a flaw is detected

3. Sensitive data...don’t cache it. Bad bad bad!

4. Salt, pepper, and hash those passwords! Just don’t leave them unsalted.

5. Sensitive data. Make sure data is accurately processed, stored, and transmitted. If data is sensitive, discard it. Data that hasn’t been saved can’t be stolen.

- If there is at rest sensitive data, encrypt it.

- If there is data in transit, secure it! Enforce authenticated encryption! If it’s being transported, don’t use FTP or SMTP.

- Disable caching on responses.

- Classify that sensitive data!!! Follow privacy laws and regulations.

6. Make sure those algorithms are updated!


The list above is not meant to be all-inclusive. I recommend further reading at https://owasp.org/Top10/A02_2021-Cryptographic_Failures/


Recent Posts

See All
“OWASP A01:2021-Broken Access Control”

“Moving up from the fifth position, 94% of applications were tested for some form of broken access control with the average incidence rate of 3.81%, and has the most occurrences in the contributed dat

 
 
 

Comments

© 2021 by Jen Cracchiola. Powered by Wix

bottom of page