CWE•Class•Draft•10 recent CVEs
CWE-311Missing Encryption of Sensitive Data
Description
The product does not encrypt sensitive or critical information before storage or transmission.
Common consequences
- Confidentiality→Read Application DataIf the application does not use a secure channel, such as SSL, to exchange sensitive information, it is possible for an attacker with access to the network traffic to sniff packets from the connection and uncover the data. This attack is no
- Confidentiality,Integrity→Modify Application DataOmitting the use of encryption in any program which transfers data over a network of any kind should be considered on par with delivering the data sent to each user on the local networks of both the sender and receiver. Worse, this omission
Potential mitigations
- RequirementsClearly specify which data or resources are valuable enough that they should be protected by encryption. Require that any transmission or storage of this data/resource should use well-vetted encryption algorithms.
- Architecture and Design[object Object]
- Architecture and Design[object Object]
- Architecture and Design[object Object]
- Implementation,Architecture and DesignWhen using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.
- ImplementationUse naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.