Use pre-existent mechanisms
Summary
The systems cryptographic functions must be implemented with pre-existing and up-to-date cryptographic mechanisms.
Description
The systems cryptographic functions are essential for maintaining the confidentiality and integrity of transactions and communications. Therefore, these functions must be based on pre-existent, tested, approved and secure mechanisms.
References
- CAPEC-20. Encryption brute forcing
- CIS-3_6. Encrypt data on end-user devices
- CIS-16_11. Leverage vetted modules or services for application security components
- CWE-326. Inadequate encryption strength
- CWE-327. Use of a broken or risky cryptographic algorithm
- HIPAA-164_312_a_2_iv. Encryption and decryption (addressable)
- NIST80053-IA-7. Cryptographic module authentication
- OWASP10-A4. Insecure design
- NYDFS-500_15. Encryption of nonpublic information
- CMMC-AC_L1-3_1_2. Transaction & function control
- CMMC-AC_L2-3_1_13. Remote access confidentiality
- CMMC-SC_L1-3_13_1. Boundary protection
- CMMC-SC_L2-3_13_8. Data in transit
- CMMC-SC_L2-3_13_15. Communications authenticity
- HITRUST-06_f. Regulation of cryptographic controls
- HITRUST-09_m. Network controls
- HITRUST-09_s. Information exchange policies and procedures
- HITRUST-09_y. On-line transactions
- HITRUST-10_d. Message integrity
- HITRUST-10_f. Policy on the use of cryptographic controls
- FEDRAMP-CM-3_6. Baseline configuration - Cryptography management
- FEDRAMP-SC-8_1. Cryptographic or alternate physical protection
- IEC62443-SI-3_1. Communication integrity
- OSSTMM3-10_7_2. Telecommunications security (controls verification) - Confidentiality
- OSSTMM3-11_7_2. Data networks security (controls verification) - Confidentiality
- NISTSSDF-PS_1_1. Protect all forms of code from unauthorized access and tampering
- PTES-4_5_3. Threat capability analysis - Communication mechanisms
- MVSP-2_8. Application design controls - Encryption
- BSAFSS-EN_2-5. Avoid weak encryption
- NIST800171-1_13. Employ cryptographic mechanisms to protect the confidentiality of remote access sessions
- ASVS-1_9_1. Communications architecture
- ASVS-6_2_2. Algorithms
- ASVS-8_3_7. Sensitive private data
- C2M2-9_5_d. Implement data security for cybersecurity architecture
- PCI-9_4_3. Media is secured and tracked when transported
- ASVS-2_8_3. One time verifier
- CASA-1_9_1. Communications Architecture
- CASA-6_2_2. Algorithms
- FISMA-IA-7. Cryptographic module authentication
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.