Call to Crypto API

Call to Crypto API

Risk: info

Description

List of all calls to cryptographic methods.

Recommendation

Do not use insecure or weak cryptographic algorithms. For example, the Data Encryption Standard (DES) encryption algorithm is considered highly insecure

Do not use Object.equals() to compare cryptographic keys

Cryptographic keys should never be serialized

Links

• SER03-J. Do not serialize unencrypted sensitive data (CERT Secure Coding)
• DRD18. Do not use the default behavior in a cryptographic library if it does not use recommended practices (CERT Secure Coding)

Standards

• OWASP_MASVS_L1:
  • MSTG_CRYPTO_1
  • MSTG_CRYPTO_2
  • MSTG_CRYPTO_3
  • MSTG_CRYPTO_4
  • MSTG_CRYPTO_5
  • MSTG_CRYPTO_6
• OWASP_MASVS_L2:
  • MSTG_CRYPTO_1
  • MSTG_CRYPTO_2
  • MSTG_CRYPTO_3
  • MSTG_CRYPTO_4
  • MSTG_CRYPTO_5
  • MSTG_CRYPTO_6