Use digital signatures
Summary
The system must use digital signatures to ensure the authenticity of sensitive information.
Description
A digital signature is a cryptographic mechanism that helps identify the sender of a message, and guarantee its authenticity and integrity. It should be used when dealing with very sensitive information or with data and resources that are susceptible to being affected by third parties.
Supported In
This requirement is verified in following services
Plan | Supported |
---|---|
Essential | 🟢 |
Advanced | 🟢 |
References
- CAPEC™-21. Exploitation of trusted identifiers
- CAPEC™-22. Exploiting trust in client
- CAPEC™-148. Content spoofing
- CWE™-345. Insufficient verification of data authenticity
- CWE™-347. Improper verification of cryptographic signature
- CWE™-353. Missing support for integrity check
- OWASP TOP 10-A8. Software and data integrity failures
- CERT-J-SER02-J. Sign then seal objects before sending them outside a trust boundary
- MITRE ATT&CK®-M1045. Code signing
- PA-DSS-11_1. Use of strong cryptography and security protocols to safeguard sensitive cardholder data during transmission
- PDPA-9B_48E. Improper use of personal data
- CMMC-SC_L2-3_13_15. Communications authenticity
- HITRUST CSF-05_k. Addressing security in third party agreements
- HITRUST CSF-06_d. Data protection and privacy of covered information
- HITRUST CSF-10_d. Message integrity
- ISA/IEC 62443-DC-4_1. Information confidentiality
- NIST SSDF-PS_1_1. Protect all forms of code from unauthorized access and tampering
- ISSAF-H_14_3. Network security - Intrusion detection (detection engine)
- OWASP SCP-14. General coding practices
- BSAFSS-SM_4-1. Software measures to prevent counterfeiting and tampering
- NIST 800-115-3_6. File integrity checking
- SWIFT CSCF-6_2. Software integrity
- OWASP SAMM-OM. Operational Management
- OWASP ASVS-10_3_1. Application integrity
- OWASP ASVS-10_3_2. Application integrity
- CASA-10_3_2. Application Integrity
- OWASP MASVS-STORAGE-1. The app securely stores sensitive data
- OWASP MASVS-STORAGE-2. The app prevents leakage of sensitive data
Vulnerabilities
- 086. Missing subresource integrity check
- 103. Insufficient data authenticity validation - APK signing
- 327. Insufficient data authenticity validation - Images
- 355. Insufficient data authenticity validation - Checksum verification
- 377. Insufficient data authenticity validation - Device Binding
- 382. Insufficient data authenticity validation - Front bypass
- 389. Insufficient data authenticity validation - JAR signing
free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.