We recently recorded CA Veracode Security Researcher Chris Lytle discussing Insecure Cryptographic Storage. Insecure Cryptographic Storage is a common vulnerability that occurs when sensitive data is not stored securely. Protecting sensitive data by encrypting it should be a key step in a Secure Software Development Lifecycle. In this video Chris describes what Insecure Cryptography is and explains the impact of Insecure Cryptographic Storage Flaws. We hope you enjoy the video, and for your convenience we've transcribed the video below.
What is Insecure Cryptographic Storage?
Insecure Cryptographic Storage isn't a single vulnerability, but a collection of vulnerabilities that all have to do with making sure that your most important data is encrypted when it needs to be. This includes, but isn't limited to, making sure you are encrypting the correct data, making sure you have proper key storage and management, making sure that you are not using known bad algorithms and making sure you are not implementing your own cryptography, which may or may not be secure.
What is the Impact of Insecure Cryptographic Storage Flaws?
The impact of these flaws when exploited is usually quite high due to the fact that the information that is usually encrypted are important things like personally identifiable information, trade secrets, healthcare records, personal information and credit card numbers.
How is Insecure Cryptography Storage Attacked?
Modern cryptographic algorithms are extremely resilient and can take a lot of time to crack. The issue is not with the algorithms being used, the issue is with the way they are being implemented to keep your data safe. Most attackers will go after how you are using the cryptography, not the actual cryptography itself.
How to Detect and Secure Insecure Cryptography Storage Issues
The ways to detect and fix cryptographic storage issues fall into two camps. On one side you have flaws such as improper key management or not encrypting the correct data. The way to fix these is to sit down and look at what the scope of your application is, look at internal business processes and review ways to make sure that you are following best practice. On the other hand, issues like implementing your own insecure cryptography or using known insecure algorithms can be fixed by using a whole variety of security scanning tools.