The danger of Insecure Cryptographic Storage.
Insecure Cryptographic Storageis a common collection of vulnerabilities related to storing sensitive data without the appropriate encryption.
Ideally, in a secure software development lifecycle, all sensitive data should be encrypted. This would include making sure the right data is encrypted, that keys are properly stored and managed, that algorithms known to be bad are not used as part of the process, and that developers are not implementing their own cryptographically insecure technology.
When these guidelines are not followed, and Insecure Cryptographic Storage flaws exist, attackers may gain unauthorized access through malicious software to steal sensitive information like trade secrets, personal information, edit card numbers, personally identifiable information (PII) and trade secrets may be exposed.
To address Insecure Cryptographic Storage issues, developers should also:
- Identify all sensitive information and encrypt it, even when it’s stored on a hard drive.
- Overwrite sensitive memory locations as soon as the data is no longer needed in memory.
- Make sure that sensitive data cannot be overwritten.
- Identify users who should and should not have access to sensitive data.
- Identify sensitive data read into memory and overwrite it with random data using strong encryption.
Preventing Insecure Cryptographic Storage with Veracode.
There are essentially two approaches to finding and remediating Insecure Cryptographic Storage issues. When the wrong data is being encrypted or keys are being improperly managed, IT teams must reevaluate the scope of their applications, assess internal business processes and find ways to ensure that best practices are being followed.
When Insecure Cryptographic Storage issues arise from using insecure algorithms or deploying an organization’s own insecure cryptography, application security testing technology can remediate a wide range of issues. That’s where Veracode can help.
Veracode is a leading provider of cloud-based application security testing services that enable organizations to protect their most important software. Built on a unified cloud platform, our suite of testing technologies can be used throughout the SDLC from inception through production toquickly, easily and cost-efficiently find and fix flaws like SQL injection, broken authentication and session management, cross site scripting and more. Our testing services take security beyond software firewalls, adding powerful application-layer security to network security tools.
Software testing services for Insecure Cryptographic Storage.
Veracode application security testing services for remediating Insecure Cryptographic Storage include:
- Veracode Static Analysis IDE Scan, a service that runs in a developer’s IDE to provide immediate feedback on potential flaws as code is being built.
- Veracode Static Analysis, a service that scans binaries to identify weaknesses and vulnerabilities in code that is built, bought and assembled.
- Veracode Software Composition Analysis, for inventorying and managing vulnerabilities in open source and commercial code.
- Veracode Web Application Scanning, a service that discovers, scans and monitors websites and applications.
- Veracode Vendor Application Security Testing, a service that can find flaws like Insecure Cryptographic Storage in third-party software without requiring access to source code.
Learn more about Insecure Cryptographic Storage and Veracode, or visit our AppSec knowledgebase to get answers to questions like “What is spoofing?”