Protect system cryptographic keys
Summary
The systems private asymmetric or symmetric keys must be protected and should not be exposed.
Description
The systems cryptographic keys are essential for maintaining the confidentiality and integrity of transactions and communications. Their exposure may cause business information leakages, loss of data integrity and loss of trust due to the inability to differentiate server traffic from malicious traffic. Therefore, these keys must be protected and managed following industry-verified standards.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🟢 |
| Advanced | 🟢 |
References
- CWE™-321. Use of hard-coded cryptographic key
- CWE™-322. Key exchange without entity authentication
- CWE™-323. Reusing a nonce, key Pair in encryption
- OWASP TOP 10-A2. Cryptographic failures
- OWASP TOP 10-A3. Injection
- PA-DSS-2_5. Implement key management processes and procedures for cryptographic keys used for encryption of cardholder data
- PA-DSS-2_5_1. Generation of strong cryptographic keys
- PA-DSS-2_5_3. Secure cryptographic key storage
- PA-DSS-2_5_7. Prevention of unauthorized substitution of cryptographic keys
- PA-DSS-5_2_3. Insecure cryptographic storage
- SANS 25-18. Use of hard-coded credentials
- CMMC-SC_L1-3_13_1. Boundary protection
- CMMC-SC_L2-3_13_10. Key management
- HITRUST CSF-09_s. Information exchange policies and procedures
- HITRUST CSF-09_y. On-line transactions
- HITRUST CSF-10_d. Message integrity
- HITRUST CSF-10_g. Key management
- FedRAMP-SC-12_2. Cryptographic key establishment and management - Symmetric keys
- FedRAMP-SC-13. Cryptographic protection
- ISO/IEC 27002-8_24. Use of cryptography
- ISA/IEC 62443-DC-4_3. Use of cryptography
- PTES-7_4_4_1. Post Exploitation - Pillaging (user information on system)
- PTES-7_7. Post Exploitation - Persistence
- OWASP SCP-6. Cryptographic practices
- BSAFSS-EN_2-3. Avoid weak encryption
- BSAFSS-EN_3-2. Software protects and validates encryption keys
- OWASP ASVS-1_6_2. Cryptographic architecture
- OWASP ASVS-2_9_1. Cryptographic verifier
- C2M2-9_5_e. Implement data security for cybersecurity architecture
- PCI DSS-3_6_1. Protect cryptographic keys used to protect stored account data
- PCI DSS-3_7_2. Secure cryptographic key distribution
- PCI DSS-3_7_3. Secure cryptographic key storage
- PCI DSS-3_7_7. Prevention of unauthorized substitution of cryptographic keys
- SIG Lite-SL_34. Are clients provided with the ability to rotate their encryption key on a scheduled basis?
- SIG Core-D_6_11. Asset and information management
- SIG Core-D_6_11_2. Asset and information management
- OWASP ASVS-1_6_4. Cryptographic architecture
- OWASP ASVS-6_4_1. Secret management
- ISO/IEC 27001-8_24. Use of cryptography
- CASA-2_9_1. Cryptographic Verifier
- Resolution SB 2021 2126-Art_26_11_h. Information Security
- Resolution SB 2021 2126-Art_27_8. Security in Electronic Channels
- OWASP MASVS-CRYPTO-2. The app performs key management according to industry best practices
- CWE TOP 25-798. Use of hard-coded credentials
Vulnerabilities
- 009. Sensitive information in source code
- 142. Sensitive information in source code - API Key
- 169. Insecure service configuration - Keys
- 326. Sensitive information in source code - Dependencies
- 359. Sensitive information in source code - Credentials
- 367. Sensitive information in source code - Git history
- 439. Sensitive information in source code - IP
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.