145 – Protect system cryptographic keys

Summary

The systems private asymmetric or symmetric keys must be protected and should not be exposed.

Description

The systems cryptographic keys are essential for maintaining the confidentiality and integrity of transactions and communications. Their exposure may cause business information leakages, loss of data integrity and loss of trust due to the inability to differentiate server traffic from malicious traffic. Therefore, these keys must be protected and managed following industry-verified standards.

Supported In

Essential: True

Advanced: True

References

• CWE-321. Use of hard-coded cryptographic key
• CWE-322. Key exchange without entity authentication
• CWE-323. Reusing a nonce, key Pair in encryption
• OWASP10-A2. Cryptographic failures
• OWASP10-A3. Injection
• PADSS-2_5. Implement key management processes and procedures for cryptographic keys used for encryption of cardholder data
• PADSS-2_5_1. Generation of strong cryptographic keys
• PADSS-2_5_3. Secure cryptographic key storage
• PADSS-2_5_7. Prevention of unauthorized substitution of cryptographic keys
• PADSS-5_2_3. Insecure cryptographic storage
• SANS25-18. Use of hard-coded credentials
• CMMC-SC_L1-3_13_1. Boundary protection
• CMMC-SC_L2-3_13_10. Key management
• HITRUST-09_s. Information exchange policies and procedures
• HITRUST-09_y. On-line transactions
• HITRUST-10_d. Message integrity
• HITRUST-10_g. Key management
• FEDRAMP-SC-12_2. Cryptographic key establishment and management - Symmetric keys
• FEDRAMP-SC-13. Cryptographic protection
• ISO27002-8_24. Use of cryptography
• IEC62443-DC-4_3. Use of cryptography
• PTES-7_4_4_1. Post Exploitation - Pillaging (user information on system)
• PTES-7_7. Post Exploitation - Persistence
• OWASPSCP-6. Cryptographic practices
• BSAFSS-EN_2-3. Avoid weak encryption
• BSAFSS-EN_3-2. Software protects and validates encryption keys
• ASVS-1_6_2. Cryptographic architecture
• ASVS-2_9_1. Cryptographic verifier
• C2M2-9_5_e. Implement data security for cybersecurity architecture
• PCI-3_6_1. Protect cryptographic keys used to protect stored account data
• PCI-3_7_2. Secure cryptographic key distribution
• PCI-3_7_3. Secure cryptographic key storage
• PCI-3_7_7. Prevention of unauthorized substitution of cryptographic keys
• SIGLITE-SL_34. Are clients provided with the ability to rotate their encryption key on a scheduled basis?
• SIG-D_6_11. Asset and information management
• SIG-D_6_11_2. Asset and information management
• ASVS-1_6_4. Cryptographic architecture
• ASVS-6_4_1. Secret management
• ISO27001-8_24. Use of cryptography
• CASA-2_9_1. Cryptographic Verifier
• RESOLSB-Art_26_11_h. Information Security
• RESOLSB-Art_27_8. Security in Electronic Channels
• OWASPMASVS-CRYPTO-2. The app performs key management according to industry best practices
• CWE25-798. Use of hard-coded credentials

Weaknesses

• 142 – Sensitive information in source code - API Key
• 169 – Insecure service configuration - Keys
• 326 – Sensitive information in source code - Dependencies
• 359 – Sensitive information in source code - Credentials
• 367 – Sensitive information in source code - Git history
• 439 – Sensitive information in source code - IP
• 009 – Sensitive information in source code

Last updated

2024/02/05