2021 OWASP Top Ten: Cryptographic Failures

F5 DevCentral

24 Jan 202209:16

Summary

TLDRIn this video, John Wagner discusses the 2021 OWASP Top 10 security risk: cryptographic failures, which has risen to number two on the list. He emphasizes the importance of protecting sensitive data, like passwords and credit card information, particularly in compliance with regulations such as GDPR and PCI DSS. Wagner highlights common pitfalls, including the use of outdated cryptographic algorithms, automatic decryption, and improper key management. He advises on best practices, such as encrypting all sensitive data at rest and using trusted libraries for cryptography. Overall, the video serves as a crucial reminder of the significance of robust cryptographic measures.

Takeaways

🔐 Cryptographic failures are ranked as the second highest security risk in the 2021 OWASP Top 10, previously categorized under sensitive data exposure.
🔍 Understanding the protection needs of data is crucial, whether it's data in transit or at rest, particularly for sensitive information like passwords and credit card numbers.
🚫 Avoid using old or weak cryptographic algorithms and ensure that all data transfers are secured using HTTPS instead of HTTP.
🔑 Proper key management is essential; ensure that server certificates and trust chains are validated to prevent unauthorized access.
📚 Do not create your own cryptographic solutions; instead, utilize trusted libraries such as Google Tink or Libsodium to enhance security.
💻 Automatic decryption of sensitive data can lead to vulnerabilities; ensure that data remains encrypted during retrieval to protect against SQL injection attacks.
🔒 Enforcing HTTPS across all application pages is vital to prevent attackers from intercepting data transmitted in plaintext.
⬇️ Downgrade attacks can exploit weak cryptographic protocols; use strong cipher suites to prevent attackers from forcing a downgrade.
📉 Classifying and identifying sensitive data can help determine the level of protection required and guide security measures effectively.
🗑️ Minimize the retention of sensitive data; securely discard unnecessary information to reduce the risk of theft and exposure.

Q & A

What is the focus of the OWASP Top 10 security risk related to cryptographic failures?
-The focus is on failures related to cryptography, which can lead to the exposure of sensitive data, rather than just the broader symptom of sensitive data exposure.
How have cryptographic failures been classified in the 2021 OWASP Top 10?
-Cryptographic failures have been classified as the second most significant security risk, emphasizing the need for robust cryptographic practices.
What types of sensitive data should be protected according to the video?
-Sensitive data includes passwords, credit card numbers, health information, and personal data, especially if they fall under regulations like GDPR or PCI DSS.
What are some indicators of potential cryptographic failures in an application?
-Indicators include the use of outdated or weak cryptographic algorithms, missing encryption for HTTP headers, and improper key management.
Why is it important to avoid writing custom cryptographic code?
-Custom cryptographic code can introduce vulnerabilities; instead, it's recommended to use trusted libraries like Google Tink or Libsodium.
What scenario illustrates a cryptographic failure involving SQL injection?
-If an application automatically decrypts sensitive data when querying a database, an attacker could exploit this to access decrypted data, such as credit card numbers.
What are the risks associated with not enforcing HTTPS?
-Not enforcing HTTPS can expose data in plain text, making it susceptible to interception by attackers who can sniff the traffic.
What are downgrade attacks, and why are they a concern?
-Downgrade attacks occur when an attacker forces a connection to switch from strong encryption to weaker protocols, allowing them to exploit vulnerabilities in the weaker encryption.
What best practices should organizations follow to mitigate cryptographic failures?
-Organizations should classify sensitive data, avoid unnecessary data retention, encrypt data at rest, use strong cryptographic algorithms, and maintain proper key management.
What is the overall takeaway regarding cryptographic failures from the OWASP Top 10 discussion?
-The key takeaway is that cryptographic failures are a significant security risk that can be mitigated through best practices in data protection and strong cryptographic measures.