The OWASP Top 10 Proactive Controls are used in the development of web applications.
Ensure the protection of sensitive data such as passwords, financial records, personal information, and business secrets using strong cryptographic techniques. For example, encrypt data both at rest and in transit using industry-standard algorithms to prevent unauthorized access; Secure communications by enforcing TLS encryption, mitigating risks such as eavesdropping on public networks; Apply cryptographic hashing for passwords using secure methods like bcrypt, Argon2, or PBKDF2 to prevent credential theft; Adhere to compliance regulations such as GDPR and PCI DSS, ensuring legal obligations for data protection are met; Continuously monitor encryption implementations, audit cryptographic policies, and update outdated algorithms to maintain data confidentiality and security.
1. Protect Data at Rest 1.1 Store Passwords Safely Use strong hashing algorithms such as bcrypt, Argon2, or PBKDF2 with salting to securely store passwords. Never store passwords in plaintext. 1.2 Special Case: Application Secrets Management Use secure storage solutions (e.g., Vault, AWS KMS) to manage sensitive application secrets. Ensure secrets are encrypted at rest and access is restricted to authorized services only. 1.3 Key Life Cycle Implement key management practices that include secure key generation, storage, rotation, and destruction. Follow best practices such as NIST guidelines to manage keys throughout their life cycle. 2. Protect Data in Transit 2.1 Use Current Cryptographic Protocols Ensure TLS 1.2+ is used for all communications to protect data in transit. Avoid deprecated protocols like SSL and TLS 1.0/1.1. 2.2 Instruct Clients to Enforce Transport Level Encryption Require clients to use Transport Layer Encryption (TLS) for all connections and ensure it is enabled by default. Use HTTP Strict Transport Security (HSTS) to enforce encryption on supported clients. 2.3 Support Cryptographic Agility Implement cryptographic agility, meaning the ability to adapt to future cryptographic protocols or algorithms. Regularly assess and upgrade encryption methods to stay current with evolving security standards. By securing data at rest with strong hashing and encryption, and ensuring data in transit is protected using up-to-date cryptographic protocols, organizations can maintain robust security across their data environments.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-12-02-01-01 | Protect data at rest | Ensure that sensitive data is encrypted while stored (e.g., in databases or file systems), protecting it from unauthorized access in case of a data breach. | Development | Security Teams, Database Administrators |
| SSS-02-12-02-01-02 | Store passwords safely | Use strong cryptographic hashing algorithms such as bcrypt, Argon2, or PBKDF2 with salting to securely store user passwords. Never store passwords in plaintext. | Development | Security Engineers, Software Developers |
| SSS-02-12-02-01-03 | Manage application secrets securely | Use secure storage solutions, like Vault or AWS KMS, to manage sensitive application secrets. Ensure secrets are encrypted at rest and that access is restricted to authorized services only. | Development | DevOps Teams, Security Teams |
| SSS-02-12-02-01-04 | Implement key lifecycle management | Enforce secure key management practices, including key generation, storage, rotation, and destruction, in accordance with best practices like NIST guidelines. | Development | Security Engineers, IT Operations |
| SSS-02-12-02-01-05 | Protect data in transit | Ensure data is transmitted securely using modern cryptographic protocols (e.g., TLS 1.2 or higher), and instruct clients to enforce transport-level encryption (e.g., via HTTP Strict Transport Security - HSTS). | Deployment | Security Teams, Network Engineers |
| SSS-02-12-02-01-06 | Support cryptographic agility | Implement the capability to adapt to future cryptographic protocols or algorithms by regularly assessing and upgrading encryption methods to stay current with evolving security standards. | Post-deployment | Security Teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1849) OWASP Proactive Controls OWASP Proactive Controls |