Lindsay Holmwood
Lindsay Holmwood
October 13, 2021

Cryptographic Failures is now #2 on the OWASP Top 10

The OWASP Top 10 has recently been updated, and it has recognised Cryptographic Failures as the #2 vulnerability category. Here's how CipherStash can help.

CipherStash - Cryptographic Failures is now #2 on the OWASP Top 10

The OWASP Top 10 is a ranked list of the security vulnerabilities that are seen by practitioners in the wild. It also provides guidance on how to detect and prevent those vulnerabilities. It is the go-to resource for developers and technologists who are securing the web.

When OWASP speaks, developers listen.

OWASP update their Top 10 roughly every four years, and the 2021 edition dropped earlier this month.

The 2021 edition of the OWASP Top 10 includes some significant changes

Injection has dropped from #1 — a position it has held since 2010 — to #3.

Broken Access Control makes the top of the list.

Cryptographic Failures is now #2.

Changes in position for OWASP Top 10, from 2017 to 2021

This might be surprising, given the 2017 edition of the Top 10 did not mention cryptography at all. Truth be told, Cryptographic Failures is a generalisation of the 2017 edition’s #3: Sensitive Data Exposure.

OWASP describe Cryptographic Failures as a “description of a symptom, not a cause” that leads to exposure of sensitive data.

“Cryptographic Failures” includes not using encryption at all

One simple mental model for managing data is that it can exist in two states:

  1. In Flight

  2. At Rest

There are different controls you can use to encrypt data in either of these states.

For data in flight, you should ensure you are using Transport Layer Security (TLS) when sending and receiving data from your users and the systems you operate. You should also check that you are using TLS between all the components of your system, not just the public-facing side of your application.

For data at rest, you should encrypt the storage on which the data is resting. This is typically your disk volumes and backups.

But data is not "in flight" or "at rest" very often, which means we need to expand our mental model.

The third state of your data: In Use

When your data is in use, it needs to be accessible, which includes being searchable. Traditionally, encrypting your data means you can’t search it — no asking for all users whose birthday is in October, for example.

This is a huge reduction in utility, so most organisations opt not to encrypt their data while it is in use. Given the always-online nature of most databases, this means that the most sensitive information about your customers — Personally Identifying Information, healthcare records, and credit card numbers — is effectively in the clear nearly all the time.

This makes it a tempting target for attackers.

OWASP say we need to prepare for common cryptographic attacks

OWASP outlines a variety of attacks to defend against that roughly fall into these three categories.

1. Operational

  • Bad key management, leading to unauthorised access that appears legitimate.

  • Protocol downgrades, both in the ciphers used (like 3DES), and the transport itself (falling back to HTTP).

  • Information leaks via side channels, bulk analysis, and error messages, that can lead to inferences about the data being transported.

2. Incorrect use of cryptography

  • Initialisation Vectors (IVs) are ignored or reused, which leaks information about the first block of plaintext, and any common prefixes.

  • Insufficient randomness, which can make the ciphertext predictable.

3. Bad cryptography

  • Weak cryptography algorithms, like MD5 or SHA1, are easily broken by attackers, revealing the plaintext.

OWASP suggest both strategic and tactical defenses

The 2021 Top 10 outline a smorgasbord of things you can do to prevent sensitive data exposure, but the highlights are:

  • Classify data processed, stored, or transmitted by an application, to understand what data you need to defend, and identify appropriate controls.

  • Make sure to encrypt all data classified as "sensitive".

  • Wherever possible, use encryption that provides forward secrecy, to ensure data encrypted in the past can’t be decrypted if session keys are exposed.

  • Independently verify the effectiveness of encryption configuration and settings.

CipherStash is built to avoid Cryptographic Failures

CipherStash is built from the ground up to address the problems identified by Cryptographic Failures in the 2021 edition of the OWASP Top 10.

CipherStash encrypts data in flight, at rest, and in use — we never see your data in the clear, but you can still query it.

CipherStash’s encryption means your searches are encrypted, your searches are performed against encrypted data, and we return encrypted search results.

We also design our software and systems to be misuse resistant. We try very hard to be secure by default, to make sure that it is easy to do the right thing, and as hard as possible - or even impossible - to do the wrong thing.

About the Author

Lindsay Holmwood
Lindsay Holmwood
Chief Product Officer

Lindsay is a product and engineering leader. He has deep experience in the devops space, specialising in dev tools experience, operating safely at speed, and changing organisational culture. He also won third place at the 1996 Sydney Royal Easter Show LEGO building competition.

Latest Posts

View all articles
Linting your GitHub Actions
Tech

Linting your GitHub Actions

Your infrastructure-as-code is still code, and all that YAML needs to be checked for correctness. So does ours, and we did something about it.

Matt Palmer
Matt Palmer
November 25, 2021
3 security improvements databases can learn from APIs
Product

3 security improvements databases can learn from APIs

It turns out there’s heaps we can learn from API security improvements and apply to databases. Here are the top 3!

Lindsay Holmwood
Lindsay Holmwood
November 18, 2021
Cryptographic Failures is now #2 on the OWASP Top 10
Product

Cryptographic Failures is now #2 on the OWASP Top 10

The OWASP Top 10 has recently been updated, and it has recognised Cryptographic Failures as the #2 vulnerability category. Here's how CipherStash can help.

Lindsay Holmwood
Lindsay Holmwood
October 13, 2021