Use digital signatures
Summary
The system must use digital signatures to ensure the authenticity of sensitive information.
Description
A digital signature is a cryptographic mechanism that helps identify the sender of a message, and guarantee its authenticity and integrity. It should be used when dealing with very sensitive information or with data and resources that are susceptible to being affected by third parties.
Supported In
This requirement is verified in following services
Plan | Supported |
---|---|
Machine | 🟢 |
Squad | 🟢 |
References
- CAPEC™-21. Exploitation of trusted identifiers
- CAPEC™-22. Exploiting trust in client
- CAPEC™-148. Content spoofing
- CWE™-345. Insufficient verification of data authenticity
- CWE™-347. Improper verification of cryptographic signature
- CWE™-353. Missing support for integrity check
- OWASP TOP 10-A8. Software and data integrity failures
- CERT-J-SER02-J. Sign then seal objects before sending them outside a trust boundary
- MITRE ATT&CK®-M1045. Code signing
- PA-DSS-11_1. Use of strong cryptography and security protocols to safeguard sensitive cardholder data during transmission
- PDPA-9B_48E. Improper use of personal data
- CMMC-SC_L2-3_13_15. Communications authenticity
- HITRUST CSF-05_k. Addressing security in third party agreements
- HITRUST CSF-06_d. Data protection and privacy of covered information
- HITRUST CSF-10_d. Message integrity
- ISA/IEC 62443-DC-4_1. Information confidentiality
- NIST SSDF-PS_1_1. Protect all forms of code from unauthorized access and tampering
- ISSAF-H_14_3. Network security - Intrusion detection (detection engine)
- OWASP SCP-14. General coding practices
- BSAFSS-SM_4-1. Software measures to prevent counterfeiting and tampering
- OWASP MASVS-V8_10. Resilience requirements - Device binding
- NIST 800-115-3_6. File integrity checking
- SWIFT CSCF-6_2. Software integrity
- OWASP SAMM-OE_3. Mandate communication of security information and validate artifacts
- OWASP ASVS-10_3_1. Application integrity
- OWASP ASVS-10_3_2. Application integrity
- CASA-10_3_2. Application Integrity
Vulnerabilities
- 086. Missing subresource integrity check
- 103. Insufficient data authenticity validation - APK signing
- 327. Insufficient data authenticity validation - Images
- 355. Insufficient data authenticity validation - Checksum verification
- 377. Insufficient data authenticity validation - Device Binding
- 382. Insufficient data authenticity validation - Front bypass
- 389. Insufficient data authenticity validation - JAR signing
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.