Insecure Cryptographic Storage Explained

Thursday, July 12, 2012

Fergal Glynn

68b48711426f3b082ab24e5746a66b36

Article by Ian Broderick

We recently interviewed Veracode Security Researcher Chris Lytle who discussed Insecure Cryptographic Storage.

Insecure Cryptographic Storage is a common vulnerability that occurs when sensitive data is not stored securely.

Protecting sensitive data by encrypting it should be a key step in a Secure Software Development Lifecycle. In this video Chris describes what Insecure Cryptography is and explains the impact of Insecure Cryptographic Storage Flaws.

 

Insecure Cryptographic Storage isn’t a single vulnerability, but a collection of vulnerabilities that all have to do with making sure that your most important data is encrypted when it needs to be.

This includes, but isn’t limited to, making sure you are encrypting the correct data, making sure you have proper key storage and management, making sure that you are not using known bad algorithms and making sure you are not implementing your own cryptography, which may or may not be secure.

What is the Impact of Insecure Cryptographic Storage Flaws?

The impact of these flaws when exploited is usually quite high due to the fact that the information that is usually encrypted are important things like personally identifiable information, trade secrets, healthcare records, personal information and credit card numbers.

How is Insecure Cryptography Storage Attacked?

Modern cryptographic algorithms are extremely resilient and can take a lot of time to crack. The issue is not with the algorithms being used, the issue is with the way they are being implemented to keep your data safe.

Most attackers will go after how you are using the cryptography, not the actual cryptography itself.

How to Detect and Secure Insecure Cryptography Storage Issues

The ways to detect and fix cryptographic storage issues fall into two camps. On one side you have flaws such as improper key management or not encrypting the correct data.

The way to fix these is to sit down and look at what the scope of your application is, look at internal business processes and review ways to make sure that you are following best practice.

On the other hand, issues like implementing your own insecure cryptography or using known insecure algorithms can be fixed by using a whole variety of security scanning tools.

Cross-posted from Veracode

Possibly Related Articles:
13211
General
Information Security
Encryption Storage Application Security Data Loss Prevention Network Security Cryptography Algorithms Video key mangement
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.