Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[MASWE-0014] Add Cryptographic Keys Not Properly Protected at Rest #2781

Merged
merged 18 commits into from
Sep 10, 2024
Merged

[MASWE-0014] Add Cryptographic Keys Not Properly Protected at Rest #2781

merged 18 commits into from
Sep 10, 2024

Conversation

cpholguera
Copy link
Collaborator

Closes to #2578

Add detailed sections to MASWE-0014.md for "Cryptographic Keys Not Properly Protected at Rest"

  • Overview: Describe the weakness of storing cryptographic keys improperly at rest.
  • Impact: Explain potential consequences, such as unauthorized access to sensitive data.
  • Modes of Introduction: List common ways this weakness can be introduced.
  • Mitigations: Provide recommendations for securely storing cryptographic keys.
  • Remove the draft field from the metadata.
  • Add status: new in the yaml metadata.
  • Ensure references in the refs field are used inline in the markdown content.

@cpholguera cpholguera self-assigned this Jul 11, 2024
@cpholguera
Copy link
Collaborator Author

cpholguera commented Jul 11, 2024
edited
Loading

TODO: Make sure the differences between

  • MASWE-0005: Sensitive Data Hardcoded in the App Package
  • MASWE-0013: Hardcoded Cryptographic Keys in Use
  • MASWE-0014: Cryptographic Keys Not Properly Protected at Rest
  • MASWE-0036: Authentication Material Stored Unencrypted on the Device

are very clear, or refactor them. Also have a potential weakness for the app not using the maximum protections, which should have profiles: [R]

For example:

  • it may be worth splitting MASWE-0005 into:

The impact and mitigation for API keys hardcoded is very different than the one for crypto keys.

@cpholguera cpholguera marked this pull request as draft July 11, 2024 07:15
@cpholguera cpholguera marked this pull request as ready for review September 10, 2024 16:49
@cpholguera cpholguera merged commit b69b228 into master Sep 10, 2024
16 checks passed
@cpholguera cpholguera deleted the MASWE-0014 branch September 10, 2024 18:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@serek8 serek8 serek8 approved these changes

Assignees

@cpholguera cpholguera

Labels
MASVS-CRYPTO MASWE
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cpholguera @serek8