Cryptography is the study of secure communication and is used to protect information from unauthorised access. Cryptography defines securing a message using the encryption and decryption methods.
Encryption is one of the main techniques used in cryptography. It converts plain text into cipher text. From readable to unreadable.
However blind and incorrect implementation of these cryptography tools can allow hackers to steal the information you are trying to protect.
OWASP earlier labeled “Sensitive data exposure” has been pushed to 2nd position in “Cryptographic Failures” in the OWASP top ten https://owasp.org/www-project-top-ten/
The key thing is to protect data in transit and at rest.
Few things to consider for sensitive data
- Identify which data is sensitive
- Do you really need it?, if not, discard, anonymise etc
- Use data at rest encryption
- Use up to date and standard algorithms. These keep changing over time.
- Use encryption for data in transit.
- Disable caching for sensitive data
- Ensure security controls
- Don’t use legacy protocols such as FTP and SMTP
- Ensure correct configuration
Few examples of wrong implementation
- Using FTP or HTTP for sensitive data
- Cryptographically randomly keys not used.
- Passwords are stored in databased without salt or use a simple hash eg MD5 which is a deprecated cryptographic function
Hence its best to include an information security person during all stagings of project development and regularly review your cryptography implementation to confirm you still meet the latest security guidelines.
To read more about this please refer to the complete guide by OWASP