Applications that process sensitive information are responsible for protecting it. One of the OWASP Top 10 vulnerabilities is a category entitled “Insecure Cryptographic Storage”, and it refers to the failure of an application to protect data in storage (i.e. “at rest”). In this article we explore this problem.
Sensitive data that is persisted in files, databases, or more generally in a “data-store” exists independently of the application. Although the application is responsible for managing access by users, there is little the application can do to protect the data when it is accessed outside the scope of the application. It generally falls to system administrators and database administrators to protect the data in the filesystem and database respectively. This is accomplished through OS and database account permissions and access rights.
The last line of defense, should an account be compromised on the data-store platform is encryption. Encrypted data is effectively gibberish without the key, and no-one steals garbage.
The failure to protect sensitive data in storage using a “recommended industry standard encryption algorithm” represents an Insecure Cryptographic Storage vulnerability. Note the term “recommended industry standard” which means that the use of a home-grown algorithm or obsolete algorithm (known to be insecure) is also a vulnerability. Lastly, the failure to use a sufficiently strong implementation of the algorithm (usually measured in terms of the key-length) that is commensurate with the value of the information being protected is also considered a vulnerability.
For insight into how to detect Insecure Cryptographic Storage, please see the article entitled “How To Test For Insecure Cryptographic Storage“.
For insight into how to avoid or fix Insecure Cryptographic Storage, please see the article entitled “How To Prevent Insecure Cryptographic Storage“.
About Affinity IT Security
We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and/or to train your developers and testers. Contact us to learn how to partner with us to protect your enterprise.
Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.