178 – Use digital signatures

Summary

The system must use digital signatures to ensure the authenticity of sensitive information.

Description

A digital signature is a cryptographic mechanism that helps identify the sender of a message, and guarantee its authenticity and integrity. It should be used when dealing with very sensitive information or with data and resources that are susceptible to being affected by third parties.

Supported In

Essential: True

Advanced: True

References

• CAPEC-21. Exploitation of trusted identifiers
• CAPEC-22. Exploiting trust in client
• CAPEC-148. Content spoofing
• CWE-345. Insufficient verification of data authenticity
• CWE-347. Improper verification of cryptographic signature
• CWE-353. Missing support for integrity check
• OWASP10-A8. Software and data integrity failures
• CERTJ-SER02-J. Sign then seal objects before sending them outside a trust boundary
• MITRE-M1045. Code signing
• PADSS-11_1. Use of strong cryptography and security protocols to safeguard sensitive cardholder data during transmission
• PDPA-9B_48E. Improper use of personal data
• CMMC-SC_L2-3_13_15. Communications authenticity
• HITRUST-05_k. Addressing security in third party agreements
• HITRUST-06_d. Data protection and privacy of covered information
• HITRUST-10_d. Message integrity
• IEC62443-DC-4_1. Information confidentiality
• NISTSSDF-PS_1_1. Protect all forms of code from unauthorized access and tampering
• ISSAF-H_14_3. Network security - Intrusion detection (detection engine)
• OWASPSCP-14. General coding practices
• BSAFSS-SM_4-1. Software measures to prevent counterfeiting and tampering
• NIST800115-3_6. File integrity checking
• SWIFTCSC-6_2. Software integrity
• OSAMM-OM. Operational Management
• ASVS-10_3_1. Application integrity
• ASVS-10_3_2. Application integrity
• CASA-10_3_2. Application Integrity
• OWASPMASVS-STORAGE-1. The app securely stores sensitive data
• OWASPMASVS-STORAGE-2. The app prevents leakage of sensitive data

Weaknesses

• 103 – Insufficient data authenticity validation - APK signing
• 327 – Insufficient data authenticity validation - Images
• 355 – Insufficient data authenticity validation - Checksum verification
• 377 – Insufficient data authenticity validation - Device Binding
• 382 – Insufficient data authenticity validation - Front bypass
• 389 – Insufficient data authenticity validation - JAR signing
• 086 – Missing subresource integrity check

Last updated

2024/02/09