Use digital signatures
Summary
The system must use digital signatures to ensure the authenticity of sensitive information.
Description
A digital signature is a cryptographic mechanism that helps identify the sender of a message, and guarantee its authenticity and integrity. It should be used when dealing with very sensitive information or with data and resources that are susceptible to being affected by third parties.
References
- CAPEC-21. Exploitation of trusted identifiers
- CAPEC-22. Exploiting trust in client
- CAPEC-148. Content spoofing
- CWE-345. Insufficient verification of data authenticity
- CWE-347. Improper verification of cryptographic signature
- CWE-353. Missing support for integrity check
- OWASP10-A8. Software and data integrity failures
- CERTJ-SER02-J. Sign then seal objects before sending them outside a trust boundary
- MITRE-M1045. Code signing
- PADSS-11_1. Use of strong cryptography and security protocols to safeguard sensitive cardholder data during transmission
- PDPA-9B_48E. Improper use of personal data
- CMMC-SC_L2-3_13_15. Communications authenticity
- HITRUST-05_k. Addressing security in third party agreements
- HITRUST-06_d. Data protection and privacy of covered information
- HITRUST-10_d. Message integrity
- IEC62443-DC-4_1. Information confidentiality
- NISTSSDF-PS_1_1. Protect all forms of code from unauthorized access and tampering
- ISSAF-H_14_3. Network security - Intrusion detection (detection engine)
- OWASPSCP-14. General coding practices
- BSAFSS-SM_4-1. Software measures to prevent counterfeiting and tampering
- NIST800115-3_6. File integrity checking
- SWIFTCSC-6_2. Software integrity
- OSAMM-OM. Operational Management
- ASVS-10_3_1. Application integrity
- ASVS-10_3_2. Application integrity
- CASA-10_3_2. Application Integrity
- OWASPMASVS-STORAGE-1. The app securely stores sensitive data
- OWASPMASVS-STORAGE-2. The app prevents leakage of sensitive data
Weaknesses
- 086. Missing subresource integrity check
- 103. Insufficient data authenticity validation - APK signing
- 327. Insufficient data authenticity validation - Images
- 355. Insufficient data authenticity validation - Checksum verification
- 377. Insufficient data authenticity validation - Device Binding
- 382. Insufficient data authenticity validation - Front bypass
- 389. Insufficient data authenticity validation - JAR signing
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.