The challenge of cryptographically insecure storage.
When storage is cryptographically insecure, sensitive data like personal information, credit card numbers, healthcare records and trade secrets may be exposed to malicious individuals and exploited through malware software.
Insecure Cryptographic Storage is a set of vulnerabilities that are common to the software development lifecycle. Making data cryptographically secure involves several steps:
- Ensuring that the correct data and sensitive information is encrypted.
- Ensuring that proper key storage and key management protocols are followed.
- Avoiding algorithms that are known to be cryptographically insecure.
- Making sure that developers are not implementing their own cryptography, which may or may not be secure.
Developers tend to think that data storage will not be accessed or reviewed by arbitrary users, but many people accessing applications may also have access to databases, temporary files in the registry. When storage is cryptographically insecure, these users may be able to access sensitive data using temporary, hidden and registry files. And attackers may gain access using other vulnerabilities like Direct Object Access.
Remediating cryptographically insecure storage with Veracode.
There are two strategies for improving data security by addressing cryptographically insecure storage.
When storage is cryptographically insecure because of improper key management or because the right data is not encrypted, IT teams must review the scope of applications as well as internal business processes and ensure that best practices are being implemented.
When storage is cryptographically insecure because developers are using insecure algorithms or their own insecure cryptography, application security testing solutions can help to uncover and remediate vulnerabilities. That’s where Veracode can help.
Veracode provides SaaS-based services that enable organizations to improve application security throughout the software development lifecycle. With a collection of on-demand application testing services available through a single cloud platform, we help developers and IT teams to significantly improve application security while reducing costs, minimizing complexity and avoiding unacceptable delays in software development timelines.
Veracode’s technology for cryptographically insecure storage.
Our application security testing solutions help to identify cryptographicallyinsecure storage in desktop, web and mobile applications, as well as microservices and containerization development. Our services include:
- Veracode Greenlight, a service that provides immediate feedback on potential flaws as developers write code.
- Veracode Static Analysis, a white box testing service that scans compiled binaries.
- Veracode Software Composition Analysis, a service that identifies vulnerabilities in open source and commercial code.
- Veracode Web Application Scanning, a service for remediating flaws in web applications and websites already in production.
- Veracode Vendor Application Security Testing, a service that can identify cryptographically insecure storage in third-party software without needing access to source code.