The OWASP Application Security Verification Standard is used in the development of web applications.
Securely store sensitive data using modern cryptographic techniques to prevent unauthorized access. For example, apply strong encryption algorithms for data at rest, implement secure key management practices, and enforce cryptographic key rotation; Prevent the use of deprecated or insecure cryptographic functions such as MD5 and SHA-1; Continuously audit cryptographic implementations to identify vulnerabilities and ensure compliance with security standards.
V6.1 Data Classification Classify data based on its sensitivity and business value to determine the appropriate security controls. Define categories such as public, internal, confidential, and highly sensitive data to apply appropriate encryption, access control, and storage policies. Implement data classification labels to ensure proper handling of different data types across the organization. Ensure that sensitive data is subject to higher levels of protection, including encryption and restricted access. V6.2 Algorithms Use strong, industry-standard cryptographic algorithms (e.g., AES-256, RSA-2048, SHA-256) for encrypting and hashing sensitive data. Avoid deprecated or weak cryptographic algorithms (e.g., MD5, SHA-1, DES) that are vulnerable to modern attack methods. Regularly review and update cryptographic algorithms and protocols to comply with evolving security standards and best practices. V6.3 Random Values Ensure cryptographically secure random number generation (e.g., CSPRNG - Cryptographically Secure Pseudo-Random Number Generator) for generating keys, IVs, and other sensitive values. Ensure that random values such as session IDs, nonces, and salts are generated using secure sources to prevent predictability or attacks. Avoid using predictable sources, such as timestamps or user data, for generating random values to mitigate risks of attacks (e.g., brute-force or guessing). V6.4 Secret Management Implement secure storage and management of secrets (e.g., passwords, API keys, private keys) using key management systems (KMS), hardware security modules (HSMs), or vaults. Encrypt secrets at rest and ensure they are accessed only by authorized applications and users. Use access control mechanisms and audit logs to track and restrict access to sensitive secrets, ensuring they are not exposed. Rotate and revoke secrets regularly, and implement secure key life cycle management to ensure secrets remain protected. By classifying data, using strong cryptographic algorithms, and employing secure secret management practices, organizations can protect sensitive data and ensure the integrity and confidentiality of critical information.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-11-06-01-01 | Use strong encryption for sensitive data at rest | Ensure that sensitive data is encrypted using strong encryption algorithms (e.g., AES-256) when stored at rest, protecting it from unauthorized access in case of data breaches. | Development | Security Teams, IT Operations |
| SSS-02-11-06-01-02 | Implement Secure Key Management | Use a Hardware Security Module (HSM) or secure key vaults to manage encryption keys securely. Ensure that keys are never hardcoded in the application or stored in insecure locations. | Development | Security Engineers, DevOps Teams |
| SSS-02-11-06-01-03 | Ensure Secure Hashing for Password Storage | Use secure, modern hashing algorithms (e.g., bcrypt, PBKDF2, Argon2) to store passwords securely, with salting techniques to further protect against dictionary and rainbow table attacks. | Development | Security Teams, DevOps Teams |
| SSS-02-11-06-01-04 | Avoid Insecure Cryptographic Algorithms | Prevent the use of outdated and insecure cryptographic algorithms such as MD5 and SHA-1. Enforce the use of strong and approved algorithms for hashing and encryption. | Development | Security Engineers, Compliance Officers |
| SSS-02-11-06-01-05 | Rotate Encryption Keys Periodically | Implement policies for the periodic rotation of encryption keys and ensure that key management follows best practices. Ensure keys are never hardcoded in the source code and are updated securely. | Post-deployment | Security Teams, Compliance Officers |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0971) OWASP Application Security Verification Standard OWASP Application Security Verification Standard |