How To Avoid Catastrophic Cryptographic Failures In Your Apps

How To Avoid Cryptographic Failures

Danger, Cryptography Ahead!

The latest OWASP Top 10 ranks “Cryptographic Failures” as the 2nd worst security problem currently facing software engineers today.

As the very recent (and very serious) vulnerability in the Oracle Java SE (CVE-2022-21449) shows – this problem never goes away! It’s hard for software practitioners to stay up-to-date because new critical cryptographic weaknesses and configuration disasters are discovered and disseminated every year, and seemingly tiny benign mistakes can be game over.

In this webinar AppSec experts Jim Manico (OWASP Top Ten contributor), Farshad Abasi (OWASP Chapter Lead), and Julius Musseau will discuss why this is the case and offer the best practices and resources for developers trying to avoid such failures in their own systems:

  • Should you use Argon2 or bcrypt?
  • When should you salt things?
  • What parameters should you feed into your TLS endpoints?
  • Anything to be careful about with JWT?

Full Disk Encryption

YES,ALWALYS DO THIS!
Full disk encryption is considered a fundamental security measure. It ensures that all data on a disk is encrypted, protecting it in case of unauthorized access or theft. Cloud providers like AWS, Azure, and GCP often implement full disk encryption by default. In on-premises environments, it is recommended to encrypt databases and sensitive files stored on physical servers.

SSL/TLS

  • Don’t roll your own config!
  • Best Case: Just use AWS/Azure/GCP Load balancer
  • 2nd Best Case: Let’s Let’s Encrypt - Take their vanilla settings. Or: Access the cheat sheet series

TLS Consideration

Transport Layer Security (TLS) is vital for securing communication between clients and servers. Setting up TLS correctly is essential to ensure the confidentiality and integrity of data in transit. The video suggests using the Mozilla TLS Configuration Generator to generate an initial config file, which can be further fine-tuned. Tools like SSL Labs can be used to test the TLS configuration and identify any potential weaknesses or vulnerabilities.

Storing Passwords:

In addition to encryption and TLS considerations, securely storing passwords is of utmost importance. Hashing algorithms, such as bcrypt or Argon2, should be used to hash passwords before storage. Salting the passwords adds an extra layer of security by introducing random data during the hashing process. It is essential to avoid storing passwords in plaintext or using weak hashing algorithms like MD5 or SHA-1.

Conclusion

Cryptographic failures pose a significant risk to software systems, demanding the attention of developers and security professionals alike. By leveraging the expertise shared in our webinar, you can stay informed about the latest challenges, best practices, and resources to fortify your systems against potential cyber threats. Arm yourself with the knowledge and guidance needed to navigate the complexities of cryptography and safeguard your software from devastating vulnerabilities.

In addition to following the best practices mentioned in this blog post, it’s essential to ensure the security of your application’s dependencies. To simplify the process of identifying and managing vulnerable components in your software stack is essential to use a powerful Software Composition Analysis tool, like MergeBase

Mergebase’s SCA tool provides in-depth analysis of your application’s dependencies, flags any known vulnerabilities, and suggests remediation steps. By incorporating Mergebase SCA into your development workflow, you can proactively address security risks and maintain the integrity of your software.

Julius Musseau

About the Author

Julius Musseau

Co-founder & Adivsor. Senior architect and developer with strong academic background and roots in the open source community. Contributor to a number of important open source projects.