Use digital signatures
Summary
The system must use digital signatures to ensure the authenticity of sensitive information.
Description
A digital signature is a cryptographic mechanism that helps identify the sender of a message, and guarantee its authenticity and integrity. It should be used when dealing with very sensitive information or with data and resources that are susceptible to being affected by third parties.
Supported In
This requirement is verified in following services:
Plan | Supported |
---|---|
Machine | 🟢 |
Squad | 🟢 |
One-Shot | 🟢 |
References
- CAPEC™-21. Exploitation of trusted identifiers
- CAPEC™-22. Exploiting trust in client
- CAPEC™-148. Content spoofing
- CWE-326. Inadequate encryption strength
- CWE-345. Insufficient verification of data authenticity
- CWE-347. Improper verification of cryptographic signature
- CWE-494. Download of code without integrity check
- ISO/IEC 27001-14_1_3. Protecting application services transactions
- OWASP TOP 10-A8. Software and data integrity failures
- CERT-J-SER02-J. Sign then seal objects before sending them outside a trust boundary
- MITRE ATT&CK®-M1045. Code signing
- PA-DSS-11_1. Use of strong cryptography and security protocols to safeguard sensitive cardholder data during transmission
- PDPA-9B_48E. Improper use of personal data
- CMMC-SC_L2-3_13_15. Communications authenticity
- HITRUST CSF-05_k. Addressing security in third party agreements
- HITRUST CSF-06_d. Data protection and privacy of covered information
- HITRUST CSF-10_d. Message integrity
- ISA/IEC 62443-DC-4_1. Information confidentiality
- NIST SSDF-PS_1_1. Protect all forms of code from unauthorized access and tampering
- ISSAF-H_14_3. Network security - Intrusion detection (detection engine)
- OWASP SCP-14. General coding practices
- BSAFSS-SM_4-1. Software measures to prevent counterfeiting and tampering
- OWASP MASVS-V8_10. Resilience requirements - Device binding
- NIST 800-115-3_6. File integrity checking
- SWIFT CSCF-6_2. Software integrity
- OWASP SAMM-OE_3. Mandate communication of security information and validate artifacts
- OWASP ASVS-10_3_1. Application integrity
- OWASP ASVS-10_3_2. Application integrity
Vulnerabilities
- 086. Missing subresource integrity check
- 103. Insufficient data authenticity validation - APK signing
- 327. Insufficient data authenticity validation - Images
- 355. Insufficient data authenticity validation - Checksum verification
- 377. Insufficient data authenticity validation - Device Binding
- 382. Insufficient data authenticity validation - Front bypass
- 389. Insufficient data authenticity validation - JAR signing